Microsoft License Verification calls and emails

It's really not appropriate for a business to come to a community forum intended for consumers and manned by volunteers or Microsoft contractors at best to ask a question about a large business software audit, as the answer you received should confirm.

However, since I at least have a medium sized business IT background and the ability to use search, I'll do my best to start you down a more sensible path.

The following Microsoft.com page provides information regarding both an "audit" and Microsoft Software Asset Management (SAM) voluntary action.

License Compliance Verification FAQ | Microsoft Volume Licensing

Note also that the email you received mentions the following:

"MACK ENERGY CORPORATION has been selected by Microsoft to complete a License Augmentation Review."

Beyond the fact that clicking that License Augmentation Review link takes me to apparent advertising for Microsoft products including the Surface Book 3, the title of that link alone should give you pause.

What is a License Augmentation Review?  Possibly an attempt to sell you additional software you don't need (or possibly do) under the premise that you're going to be audited?  And combined with the fact you noted that the company mentioned is obviously not an "Independent, internationally recognized certified public accounting firm" as mentioned in the License Compliance Verification FAQ, this all sounds just as suspicious as you inferred above. 

So what I'd do is take a much more careful look at that email using a good email client that exposes the true address rather than the "friendly name" that many crappy email programs display and verify that it actually displays Microsoft.com rather than some convoluted one.  Or if you understand how, look at the message source if using Outlook.com or a similar Microsoft product to see the true delivery pathway displayed in the headers to see whether, as is likely, the email address itself may have been spoofed.

In other words, to me this message is clearly fake and not how I'd expect a professional company to contact me in any case, instead likely using an official, snail mail letter on letterhead of the accounting firm assigned by Microsoft.

This is clearly a scam, possibly just trying to sell software, but also maybe intended to acquire your firm's or your own identity information for identity theft.

Rob

Hey Steve,

It may be that the email is being sent from a Microsoft domain via either LinkedIn or some other service provided for Microsoft partners, since these may be hosted within Microsoft supported Exchange or similar email servers.

You're right that this can create an apparent implication that the organization using these services is Microsoft itself, which is why Microsoft had to drop most of the older Gold and other partner programs, since of course some malicious actors used these partner designations and the apparent associations they implied to the unknowledgeable consumer as methods of gaining undeserved trust.

Since I don't have a LinkedIn account myself, I don't know precisely what services might be available there, but I suspect the use of Teams might be the primary reason they'd take advantage of that specific account.  This again could create an apparent implication of association with Microsoft, though in truth it only means someone is using the LinkedIn account and Teams service.

Without accessing or viewing these services myself I can only guess, but nothing so far has convinced me of anything different relating to the "license augmentation", since this sounds so obviously ridiculous and suspicious.

The problem for Microsoft becomes how to provide services with trustworthy domains, etc. without adding the implication that they might mean something else.  Tough line to walk and really more a reflection of the technical complexity of our time than anything else.

As I mentioned, it's my own background working in the commercial phishing and security industry that makes me so suspicious of everything, since I not only saw lots of these types of attacks in my career, I produced many of them from scratch myself.  As a past network administrator in both business and education, I'd seen every sort of SPAM message that existed from the early 1990's forward, so to me these are all simply extensions of these earlier fake messages and so relatively easy to spot.

The problem for the consumer or even business user is they'll never gain the level of experience I've had, so they need to learn some basic facts and use these to protect themselves from fake messages delivered via any method, email, web page or any other source.

The most basic rule is; if it sounds to good to be true or makes you in the least suspicious, such as searching online to verify a situation such as this one, it's already nearly 100% likely to be a fake.  Only if someone can point you to an official source for that same information at a location (e.g. website) clearly able to be verified as provided by the company in question, preferably multiple such reputable sources, should it be trusted.

Rob

Agreed.  Also, when I asked for additional authentication and evidence, I never heard back.  Six weeks have passed.

I am convinced 99.99% it was a scammer / phishing attempt.   Microsoft needs to act on this and clarify, and figure out how people are spoofing their email domain.

Kevin-  Did the person you speak to at Microsoft confirm any such authentication / audit program?  Who was your specific contact?  I'd be curious to ask them why they would 'give up' and not offer additional authentication if it was real.

(Still... MACK ENERGY???... LOL... c'mon.... I'd love to hear anyone at Microsoft explain that connection.... )

The crazy thing is that the email headers were real, which is why Microsoft should be very concerned if hackers / phishers are spoofing their email headers.

I'll believe it when I see it myself Kevin, there's no Bing searchable public entity found by that name, whether LinkedIn or in general.

That name is nothing like any of the official license verification groups found in Microsoft documentation, which is a classic indication of a phishing scam, which was my professional background.

So you'll have a difficult time convincing me without the complete and proper documentation in a publically available format, which any true Microsoft operation would always have.

Scammers or just lazy companies looking to make an extra buck are rampant today.  This is the perfect example of something that could hook many unsuspecting small businesses into paying 3rd-parties for products they either don't need or might, but could get themselves from Microsoft itself.

Feel free to provide the direct links to the official contact information you claim you've been using.  My suspicious mind immediately notes that you provided none of this, which should have taken seconds to copy/paste if it were accurate and true.

Rob

No need for apology, I was just making sure you understood whom you're talking to, since Microsoft's automated help facilities are of course designed to capture general searches for aid and drop them into the consumer forums, where most of these likely belong.

The TechNet and other commercial IT forums and documentation have been going through a drastic revamp the last couple years, so the correct pathways there are in relative disarray and difficult for even me to navigate, which is why I choose to answer when I can rather than forward into an often black hole.

Verifying with official sources is still a good idea, I just wouldn't waste my time since I know how to read email headers as a past administrator and security professional, so I could verify the message's true source myself.

Rob

< EDIT > Actually, I'm surprised that such a probable spam/scam message didn't end up in the email client's Junk or Spam folder automatically, since it's likely the headers don't match the other address information.  However, if you're not using a Microsoft email client or servers, that may be part of the problem.