Skip to Content

Microsoft Power BI Email Scam: How Attackers Exploit Legitimate Services

A deep dive into the no-reply-powerbi@microsoft.com scam, how attackers misuse Power BI subscriptions, and steps organizations can take to block the abuse.
28 January 2026 by
TechStora Editorial Board

What Happened

Scammers sent messages from no-reply-powerbi@microsoft.com, a legitimate Microsoft‑owned address used for Power BI subscription notifications. The email falsely claimed a $399 charge and included a phone number for “dispute” calls. When victims called, they were directed to install remote‑access software, giving attackers control of the victim’s machine.

Why This Scam Is Effective

Three factors make the attack hard to detect:

  • Trusted sender domain: The address belongs to Microsoft’s infrastructure, so many spam filters allow it.
  • No malicious links or attachments: The email contains only text and a phone number, bypassing link‑based scanners.
  • Legitimate service abuse: Power BI’s subscription feature can automatically email security groups, giving the scam a veneer of authenticity.

How the Abuse Works

Power BI can send subscription emails to mail‑enabled security groups. Attackers either:

  • Compromise a legitimate Power BI tenant and trigger subscription emails to external addresses, or
  • Exploit misconfiguration that permits the service to forward emails to any address without explicit opt‑in.

Microsoft’s documentation states the address is intended for internal group notifications, but the platform does not currently enforce strict recipient validation, allowing the feature to be weaponized.

Protection Measures

Organizations should adopt a layered approach:

  • Add the address to an allow‑list with caution: Only if you rely on genuine Power BI subscriptions; otherwise, block it.
  • Enable MFA and least‑privilege for Power BI admins to reduce the risk of tenant compromise.
  • Monitor outbound email logs for unexpected subscription traffic to external domains.
  • Educate users to verify unexpected charge notifications by contacting the vendor through official channels, not the phone number in the email.

Key Open Questions

Two critical uncertainties remain:

  • Do recipients need to explicitly opt‑in to receive emails from no-reply-powerbi@microsoft.com?
  • Can attackers automatically target any external address, or is there a hidden whitelist that can be abused?