Credential-Stuffing Microsoft 365 Business Account Fraud
Attackers run automated credential-stuffing tools against Microsoft 365 business tenants, using email-password pairs from previous breaches to silently take over accounts, forward emails, and launch internal phishing campaigns.
Part of: Credential Stuffing Account Fraud
Last reviewed: 8 June 2026
Microsoft 365 is the backbone of email, document storage, and collaboration for a huge proportion of businesses. A compromised Microsoft 365 account gives an attacker access to the victim's Outlook inbox, SharePoint files, Teams messages, and in many cases the tools to impersonate the victim within their entire organisation.
Credential stuffing attacks against Microsoft 365 are highly industrialised. Automated tools test millions of credential pairs against the Microsoft login endpoint, identifying valid combinations that have been reused from other breached services. Unlike targeted phishing, the victim may never receive any suspicious message — their account is simply logged into silently.
Once inside, sophisticated attackers typically spend weeks monitoring emails before taking any visible action, learning the victim's communication style, pending transactions, and key contacts to maximise the impact of subsequent fraud.
How this scam works on the Microsoft brand
Microsoft's login systems detect many credential-stuffing attempts through anomaly detection and sign-in risk policies in Entra ID. However, when valid credentials from a real breach are used from a known IP range, detection is harder.
After gaining access, attackers commonly set up email forwarding rules to a third-party address — allowing ongoing surveillance even if the victim changes their password. They also access shared SharePoint sites, review pending financial transactions in emails, and identify suppliers or clients to target with follow-on business email compromise attacks.
The victim often discovers the compromise when a colleague reports receiving a suspicious email appearing to come from them, when they notice email rules they did not create, or when Microsoft's sign-in notifications alert them to an unfamiliar login.
Common red flags
- Microsoft's sign-in alert emails notify you of a login from an unfamiliar device, browser, or country.
- You find email forwarding rules in Outlook that you did not create — go to Settings > Mail > Forwarding.
- Colleagues report receiving unusual emails or requests from your Microsoft 365 address.
- Your OneDrive or SharePoint shows file access from unfamiliar times or devices.
- Your Microsoft account shows multiple failed sign-in attempts in the recent security activity log.
- A sent email appears in your Sent Items that you did not write.
How to protect yourself
- Enable multi-factor authentication for all Microsoft 365 accounts in your organisation — this stops credential stuffing even when passwords are valid.
- Use Microsoft Entra ID Conditional Access policies to block sign-ins from unfamiliar locations or devices.
- Check sign-in activity at mysignins.microsoft.com and review email rules at outlook.com/options > Mail > Forwarding.
- Use Microsoft's passwordless sign-in options such as Microsoft Authenticator or FIDO2 keys where possible.
- Check whether your email address has appeared in a breach at haveibeenpwned.com and change the password if it has.
- Brief employees to report any email they did not send that appears in their Sent Items — this is an early takeover indicator.
How to report it
- Report compromised Microsoft 365 accounts through the Microsoft 365 Defender portal or at microsoft.com/en-us/security.
- IT admins can investigate and contain the compromise using Microsoft Defender for Office 365's Threat Explorer.
- Report business email compromise incidents to the FBI IC3 at ic3.gov (US) or Action Fraud at actionfraud.police.uk (UK).
- If fraudulent financial transactions resulted, contact your bank and file a report with your national fraud authority.
Frequently asked questions
How does enabling MFA stop credential stuffing?
Multi-factor authentication requires a second proof of identity in addition to a password. Even if attackers have your password from a breach, they cannot complete the login without your authenticator app, hardware key, or SMS code. This single control eliminates the vast majority of credential-stuffing attacks.
What should I do if I find email forwarding rules I did not create?
Delete the rules immediately in Outlook Settings > Mail > Forwarding, then change your Microsoft 365 password and enable MFA. Review your Sent Items and alert your IT team so they can assess whether any sensitive information was exposed.
My Microsoft 365 account was used to send phishing emails internally. Am I liable?
You are generally not personally liable for criminal acts committed using your compromised account, but your organisation may face reputational and regulatory consequences. Report the incident to your IT team immediately and cooperate with their investigation.