As scammers continue to find ways to impersonate known brands, users should remain wary of spam-like emails—even if they appear to come from a legitimate company address.

Ars Technica has identified a scheme that abuses a Microsoft subscription feature to send phishing emails from no-reply-powerbi@microsoft.com, a real address that the company advises users to add to their allow lists.

How the Microsoft Power BI scam works

Users targeted with this scam have received emails from an address connected to Microsoft Power BI, a business analytics platform. The messages include (fake) billing receipts with large purchase amounts from services like PayPal, Norton LifeLock, and Microsoft 365 and a phone number to call to dispute the transaction.

Scammers on the other end of the line may try to convince you to install a remote access application that allows device takeover or will otherwise extract personal information. As with any phishing scam, engaging in any way—calling the number, responding to the email, or clicking links—could put your data and your device at risk.

The emails themselves are full of typos and grammar errors and urgent calls to action that are, in most cases, completely unrelated to Microsoft itself. Many users would spot these red flags and know to simply delete the message. However, threat actors capitalize on the trust users have in the brands they’re exploiting along with scare tactics to trap some people in the scheme.

This is also far from the first phishing scheme of its kind: Threat actors have sent malicious emails from legitimate PayPal and Google addresses (to name just two) by exploiting similar loopholes. In the case of PayPal, fraudulent purchase notifications sent from service[at]paypal[dot]com abused the platform’s subscription billing feature. With Google, scammers registered google.com subdomains via Google Sites and linked them with Google Accounts.