A months-long abuse of an internal Microsoft notification address shows how criminal campaigns can borrow legitimacy from routine email flows without proving a full breach.