I’ve been on my couch for four hours today (and several more in the past) trying to unearth why I’ve been charged ~$21 by Microsoft consistently for the past year, because I’d really like someone to actually investigate this journey I’m on. Because there are two outcomes:

1. There’s large scale fraud occurring and nobody has noticed

2. Microsoft is incompetent and can’t find my transactions despite me giving them everything they’d need.

I’m leaning towards incompetence, but I can’t be sure. Come along to see why.

This year alone I’ve been charged almost $300 dollars from “Microsoft.” The random credit makes no sense either. The charges are at random times, and the descriptor on the transaction is convincing enough that I thought it was Microsoft.

MICROSOFT*14 DAY TRIMSBILL.INFO

I’ve had these charges in the past and had no idea what they were – so I cancelled my Amex and had a new one sent to me. But the charges persisted. So I reached out to Microsoft directly to ask what exactly these were.

I provided all versions of my Amex (I have the history of my cards in 1Password) to the support agent, and, to both of our surprises – no transaction for my name, cards, and amounts is in Microsoft’s system. At least that’s what support told me.

This is when I started reaching for my Reynolds Wrap. For a few reasons:

1. “14 day free trial subscription” is an oxymoron.

2. It happened every few days in October

Digging Deeper

The transaction descriptor has an interesting domain on it: msbill.info – So a quick visit to it does a 301 Redirect to:

https://support.microsoft.com/en-us/account-billing/how-to-investigate-a-billing-charge-from-microsoft-398c5328-364c-d5e4-ea8f-f5ad60562a93

I followed the steps here… and nothing. No closer to figuring out this charge. So I decided to Google it with exact search.

Ok good so I’m not the only one confused by this charge. But all of these are community forums and might be dominating the actual answer. What if I remove them and search for only “MSBILL.INFO” on Microsoft’s website.

Well that’s odd:

You’d think that Microsoft would have a page explaining their domain for transactions somewhere right? Well now I am very curious about this domain. Let’s do a quick cURL of it and see what it’s doing:

$ curl -vvvv msbill.info
* Host msbill.info:80 was resolved.
* IPv6: (none)
* IPv4: 20.112.250.133, 20.236.44.162, 20.231.239.246, 20.70.246.20, 20.76.201.171
*   Trying 20.112.250.133:80...
* Connected to msbill.info (20.112.250.133) port 80
> GET / HTTP/1.1
> Host: msbill.info
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 301 Moved Permanently
< Content-Length: 0
< Date: Sat, 16 Nov 2024 21:23:16 GMT
< Server: Kestrel
< Location: https://support.microsoft.com/help/10623/microsoft-account-unknown-charges
< Strict-Transport-Security: max-age=31536000
<
* Connection #0 to host msbill.info left intact

Server: Kestrel is a .NET web server, so that would hint at this being a real Microsoft domain. But, to make things interesting, let’s try it with SSL:

curl -vvvv https://msbill.info
* Host msbill.info:443 was resolved.
* IPv6: (none)
* IPv4: 20.236.44.162, 20.231.239.246, 20.70.246.20, 20.76.201.171, 20.112.250.133
*   Trying 20.236.44.162:443...
* Connected to msbill.info (20.236.44.162) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES128-GCM-SHA256 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
*  subject: C=US; ST=WA; L=Redmond; O=Microsoft Corporation; CN=*.oneroute.microsoft.com
*  start date: Oct 25 02:40:26 2024 GMT
*  expire date: Apr 23 02:40:26 2025 GMT
*  subjectAltName does not match host name msbill.info
* SSL: no alternative certificate subject name matches target host name 'msbill.info'
* Closing connection
curl: (60) SSL: no alternative certificate subject name matches target host name 'msbill.info'

I have a hard time believing Microsoft would host any domain they own without valid SSL on it. So let’s see who owns it:

$ whois msbill.info
Domain Name: msbill.info
Registry Domain ID: 851c4c135e6742d7a0311f7c380cad9a-DONUTS
Registrar WHOIS Server: www.whois.corporatedomains.com
Registrar URL: http://www.cscglobal.com
Updated Date: 2024-09-25T05:04:49Z
Creation Date: 2016-09-29T22:33:19Z
Registry Expiry Date: 2025-09-29T22:33:19Z
Registrar: CSC Corporate Domains, Inc.
Registrar IANA ID: 299
Registrar Abuse Contact Email: domainabuse@cscglobal.com
Registrar Abuse Contact Phone: +1.3026365400
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID: REDACTED FOR PRIVACY
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: Microsoft Corporation

Ok this makes me think my charges are actually from Microsoft. CSC is a major domain registrar and it does indeed say “Microsoft Corporation” – but that doesn’t mean someone doesn’t have a CSC account and registered msbill.info

A lot of the information is redacted – and a whois for microsoft.com is not. Why redact msbill.info and not microsoft.com ? Maybe Megacorp™ problems, maybe fraud. So let’s see if crt.sh has anything about this smelly domain: https://crt.sh/?q=msbill.info

I don’t know about you, but I feel like this list a little shady. “Catposters.net” – cmon. It’s not the the exact certificate common name, but why oh why is it in here in the first place. Why does Microsoft have a domain that has NO certificates ever registered?

Let’s look at something else, the “digital receipt” that Amex has a link to.

Again – “14 Day Trial Recurs Monthly” is sketchy enough as it is.

I’ve never seen this product “Ethoca” before but it’s legit and there’s plenty of resources online saying that. So this is where I lean more towards “this is a real charge and just no one can tell me why” – IE: Microsoft is incompetent.

But that’s no fun. Let’s keep going.

I shared this screenshot along with my bank statement screenshots with Microsoft support and they claim they cannot find these charges.

So how easy is it to charge myself this amount with this smelly transaction descriptor? Extremely easy it turns out.

I happened to have a Stripe account and I thought “Fraud against myself isn’t fraud, right?” And if it is – it was totally the other guy that made me do.

So if it took me a whopping 5 minutes to fire an “MSBILL.INFO” charge against myself … is it possible that someone has been sneaking this by for years? I honestly don’t know. Again, it’s Microsoft – they are so big it’s almost impossible to tell.

Conclusion

I called Amex and even the lovely support person I was connected was beyond baffled, too. None of it made sense. The descriptor, the “14 day free trial” yet I’m getting charged constantly, the timing of it all, the pages upon pages of real people complaining on Microsoft’s website.

So, for now, I’ve added a Merchant Lock to my cards preventing Microsoft from charging me. But if it’s NOT Microsoft and I’m still charged – well that’s the smoking gun.

And if you’re someone that found this blog post after searching for the same thing – welcome, we’ve got jackets. 🧥