![[HERO] When Trusted Domains Betray Trust: Power BI Scam-Spam and the Case for Proactive BI Governance](https://i0.wp.com/cdn.marblism.com/nfzwX_8z9Q2.webp?w=800&ssl=1)
Microsoft Power BI has been targeted in a surge in phishing attacks that were recently linked to the official no-reply-powerbi@microsoft.com address. The emails are easy to identify, partly due to grammar and spelling. Plus, these emails are the only ‘Microsoft’ emails that aren’t pushing CoPilot at you in some way, so that, in itself, made it suspicious in my view!
Seriously though, as reported by Ars Technica, scammers are exploiting report subscription features to bypass security filters that inherently trust Microsoft domains. The phishing attacks are fairly obvious to experienced users, and it’s easy to blame the users for clicking on links. However, the irony is that the emails got through Microsoft’s tools such as Defender. I’m concerned about the attack vector.
It is a process issue, too. Microsoft Power BI provides analytics and business intelligence from various sources that can be integrated into a single dashboard. As part of the Power BI technology, users receive ‘subscriptions’ to reports that they are interested in. The subscriptions are sent out using this email address, which goes out to mail-enabled security groups. Microsoft specifically advises users to add it to allow lists so the email makes it through.
The emails themselves have grammatical and spelling mistakes, but this is deliberate. Threat actors will deliberately make it easy for expert users to spot so that they don’t have to deal with experienced users hassling them. They are targeting the naive users who will click on links, not the experienced users.
What does this mean for your data strategy? Regardless of user experience in technology, security and governance are the essential pillars of a mature data strategy. It is a combination of business process and technology factors, and key considerations for your data foundation include:
– Even trusted platforms require internal controls to mitigate external exploitation.
– Governance must include feature-specific risk management.
– Weak foundations create vulnerabilities to “shadow” risks within sanctioned tools.
Business intelligence depends on trust and transparency. When trust is compromised, the value of your data diminishes because users become wary of using it.
When a phishing email arrives from no-reply-powerbi@microsoft.com, most enterprise security filters give it a pass. After all, it’s a legitimate Microsoft domain, verified and trusted. Your email gateway doesn’t flag it. Your users don’t question it. And that’s exactly what scammers are counting on.
A recent wave of scam-spam emails has exposed a troubling vulnerability. Attackers are exploiting Power BI’s legitimate subscription feature to send phishing messages that appear to come directly from Microsoft. According to Ars Technica, these emails bypass traditional security filters precisely because they originate from an authentic, trusted domain. The mechanism is frighteningly simple, and therein lies the danger.
The boundaries between business intelligence (BI) tooling and cybersecurity risk are thinner than most organisations realise. Building a solid data foundation and implementing proactive BI governance are essential security controls.
What is Power BI’s subscription feature? It’s a productivity feature that allows users to schedule automated email delivery of reports and dashboards, and it has been around for a long time in Microsoft Business Intelligence. SQL Server Reporting Services had this feature a long time ago, for example. It is designed to keep teams informed without requiring them to log into the platform constantly.
Under normal circumstances, when you subscribe to a Power BI report, the service sends an email on your behalf from Microsoft’s infrastructure using the no-reply-powerbi@microsoft.com address.
Scammers have unpicked Microsoft’s licensing (no mean feat in itself), and discovered they can create free Power BI accounts that use the Power BI subscription feature to blast target email addresses. The deception involves building reports containing phishing links or fraudulent content, and send them from the legitimate Microsoft email address. These emails originate from Microsoft’s legitimate infrastructure and domain, so they sail past SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting & Conformance) checks. Traditional email security filters see a verified Microsoft sender and wave it through.
The victims receive what appears to be an official Power BI notification, complete with professional formatting and Microsoft branding. The report itself might contain malicious links disguised as data visualisations, or lead to credential harvesting pages. By the time users realise something is wrong, their credentials may already be compromised.
The Power BI scam-spam incident is simple, and it reveals a blind spot in how many organisations approach business intelligence and data platforms. The separation of data and technology means that these tools are often considered to be separate from the core security infrastructure.
Business intelligence platforms are security perimeters. Users are in close proximity to platforms, accessing sensitive data. Businesses often facilitate information sharing both internally and externally with customers, partners and suppliers. As a result, IT is increasingly required to integrate with identity systems, data warehouses, and even AI agents. When BI governance is weak or nonexistent, these platforms become high-value targets and potential launchpads for sophisticated attacks.
The lesson here isn’t just about Power BI. It’s about recognising that every data platform: whether it’s Tableau, Looker, or a custom analytics solution: requires the same security rigor we apply to email gateways, VPNs, and identity providers. The question enterprises must ask is: Do we have a data foundation strong enough to prevent our own tools from being weaponised?
A strong data foundation is more than infrastructure and architecture diagrams. It encompasses the policies, controls, processes, and cultural practices that ensure data platforms serve the business without exposing it to unacceptable risk. In the context of BI governance, this means implementing layered security controls that address identity, access, data sensitivity, and external sharing.
The first line of defense is tenant-level configuration. In Power BI (and similar platforms), administrators should critically evaluate external sharing settings. Can users share reports with external email addresses? Can they create public links? These features, while convenient, dramatically expand the attack surface.
Organisations should implement explicit allow-listing for external domains rather than blanket approvals. If your BI platform permits subscriptions to arbitrary email addresses, you’re essentially allowing any user to send emails via your platform’s trusted domain: exactly the vulnerability scammers exploited.
Sensitivity labels provide granular control over what can be shared and with whom. By classifying reports and datasets according to sensitivity (Public, Internal, Confidential, Highly Confidential), organisations can enforce policies that automatically restrict external sharing for sensitive content.
Integrating BI platforms with Microsoft Purview (or equivalent DLP solutions) enables real-time policy enforcement. For instance, a report containing financial data could be automatically prevented from being subscribed to external addresses, or could trigger alerts when shared outside approved groups.
Conditional access policies ensure that BI platform access adheres to your organisation’s security posture. This might include requiring multi-factor authentication, restricting access based on device compliance, or limiting access from specific geographic locations.
Identity governance means regularly reviewing who has access to what. In Power BI terms, this includes workspace membership, app permissions, and dataflow access. Regular access reviews prevent “permission creep” where users accumulate access rights they no longer need: or shouldn’t have had in the first place.
Comprehensive audit logging is non-negotiable. Every action within your BI platform: report creation, subscription setup, external sharing: should be logged and monitored. In the Power BI scam scenario, organisations with robust logging could quickly identify unusual patterns: multiple subscriptions created by a newly provisioned account, or subscriptions targeting non-organisational email domains.
The principle of least privilege applies as much to BI as it does to network access. Not every user needs the ability to create workspaces, publish reports, or configure subscriptions. By restricting these capabilities to roles that genuinely require them, you dramatically reduce the potential for abuse.
Abandoned or forgotten workspaces are security liabilities. Implementing workspace lifecycle management: regular reviews, archiving policies, and decommissioning procedures: ensures that outdated content doesn’t linger as a potential vulnerability.
Here’s a practical checklist for organisations looking to strengthen their BI governance posture:
Configuration & Access
Data Classification & Protection
Monitoring & Response
Training & Culture
If you suspect your BI platform is being used for phishing or spam, here’s a simple incident response framework:
Immediate Actions (0-1 hour)
Investigation (1-24 hours)
Remediation (24-72 hours)
Post-Incident (1-2 weeks)
This incident highlights a broader challenge: shadow BI and shadow AI. When organisations don’t provide secure, governed platforms for analytics and AI experimentation, users inevitably seek alternatives. They sign up for free SaaS tools, create personal accounts on platforms like Power BI, and work around security controls that seem to slow them down.
The problem isn’t that users are reckless: it’s that they’re trying to get work done. But without proper governance, these shadow systems become ungoverned entry points. The same Power BI subscription feature that scammers exploited could just as easily be misused by a well-meaning employee who doesn’t understand the security implications of sharing reports externally.
As I discussed in Escaping the AI Pilot Trap, the solution isn’t to lock everything down: it’s to provide secure, governed alternatives that are easy enough that users don’t feel compelled to work around them. Strong data foundations make secure behaviors the path of least resistance.
Here’s a truth that’s uncomfortable for many security teams: users don’t wake up thinking, “How can I undermine our security posture today?” They wake up thinking about deadlines, deliverables, and getting information to the people who need it. When we design security controls that ignore this reality, we inadvertently create the conditions for shadow systems and workarounds.
An empathy-driven approach to cybersecurity means understanding why users behave the way they do, and designing controls that accommodate legitimate needs while preventing abuse. In the BI context, this might mean:
When security feels like a partner rather than a blocker, users are far more likely to follow the rules: and to report suspicious activity when they see it.
The Power BI scam-spam incident won’t be the last time a legitimate feature is exploited for malicious purposes. As organisations adopt more AI-powered tools, integrate more systems, and enable more self-service capabilities, the attack surface inevitably expands. We can’t totally eliminate risk, but we can put in place governance foundations that will help organisations to detect, respond to, and recover from inevitable security incidents.
Proactive BI governance is about building resilience in Business Intelligence tools and understanding their functionality. It’s about recognising that a Power BI report subscription is a productivity feature and a powerful tool that can be used for good or ill.
The organisations that will thrive in 2026 and beyond are those that invest in strong data foundations now as a continuous process. The only real security is the kind you build into the foundation.
Need help strengthening your data foundation and BI governance? Get in touch to discuss how we can help you turn data platforms from potential vulnerabilities into strategic assets.