This topic is geared for security engineers that manage security policy for EOP / E3 services.
I have found that it is fairly common practice for subscribers of Microsoft consumer services (ie: outlook.com, hotmail.com, msn.com, etc) to setup a security verification email using their work/business email. While one would think this may be a good idea, its actually not a good idea at all.
- What happens when that employee is termed? All their account recovery questions and notifications will go to an email address that no longer exists.
- For a while in 2020, my security operations team was seeing frequent phishing emails using the same exact template Microsoft uses for their account recovery and security email notifications. (its very easy to replicate) Most users cannot tell the difference between a legitimate vs malicious Microsoft notification email.
- When a company receives Microsoft notifications for consumer level accounts, this introduces unneeded risk into the company.
Has Microsoft assessed this risk and would it be possible to introduce a control in consumer Microsoft services that prevents users from using an email address that is linked to a Microsoft enterprise tenant subscription? This would be similar behavior when a user attempts to use their work email address to sign up for Microsoft consumer products (they get a message saying they can't do that).