Fake Microsoft 365 Password-Reset Phishing
Phishing emails mimicking Microsoft 365 account alerts direct users to a replica sign-in page that harvests their work or personal Microsoft credentials, often with the aim of penetrating corporate networks.
Part of: Fake Password Reset Scams
Last reviewed: 7 June 2026
Microsoft 365 is one of the world's most widely deployed productivity suites, making Microsoft account credentials among the most valuable targets for cybercriminals. A stolen Microsoft 365 login can grant access to a person's entire work email history, SharePoint files, OneDrive documents, and Teams messages — making the impact of a successful phish potentially devastating for both individuals and organisations.
Attackers send emails styled to match Microsoft's transactional email templates, often referencing realistic-sounding events: an unusual sign-in from an unfamiliar location, a mandatory password-policy reset, or an account that will expire unless the user acts. The sense of corporate urgency — especially when the message appears to come from an IT department — can override usual caution.
Unlike consumer phishing campaigns that cast wide nets, many Microsoft 365 phishing attacks are targeted: attackers research a company's email domain and craft messages that reference the company name, the victim's actual username, or a real event such as an IT migration. This targeting makes the emails far more convincing.
How this scam works on the Microsoft brand
The real Microsoft 365 sign-in page lives at login.microsoftonline.com. Microsoft's genuine password-reset or unusual-activity notifications address the user by their full name, reference the specific account email address, and link only to that domain. They do not ask you to enter your current password as part of a 'security verification' step.
Fake emails typically feature a logo, a blue 'Sign In' button, and a footer mimicking Microsoft's standard legal text. The link destination, however, resolves to a domain like microsoftonline-secure[.]xyz or office365-login[.]co rather than microsoft.com. Adversary-in-the-middle (AiTM) phishing kits can relay your credentials to the real site and intercept session cookies, bypassing standard two-factor authentication entirely.
In business-targeted campaigns, attackers chain the credential harvest to further attacks: they log into your account, set inbox rules to hide replies, and initiate business email compromise (BEC) attacks against your colleagues or clients — requesting fraudulent wire transfers or invoice changes.
Common red flags
- Sender domain is not @microsoft.com or @accountprotection.microsoft.com — check the actual email header
- The sign-in button leads to a URL that is not login.microsoftonline.com
- The email demands a password reset 'within 48 hours or your account will be suspended'
- The sign-in page asks for both your password and your current MFA code on the same screen
- The message references your email address but not your full name, or uses 'Dear Microsoft User'
- URL contains 'microsoft' or 'office365' as a subdomain of an unrelated domain (e.g., microsoft.evil.com)
How to protect yourself
- Go directly to login.microsoftonline.com or myaccount.microsoft.com — never via a link in email
- Enrol in Microsoft's phishing-resistant MFA: use the Microsoft Authenticator app or a FIDO2 security key rather than SMS codes
- Enable Microsoft Defender for Office 365's Safe Links feature if your organisation uses it — it rewrites URLs and checks them at click time
- Check your Microsoft Account's recent sign-in activity at mysignins.microsoft.com regularly
- If you suspect compromise, revoke active sessions immediately in myaccount.microsoft.com > Security > Sign-in activity
- Report the phishing attempt to your IT or security team so they can block the sender domain organisation-wide
How to report it
- Use the 'Report phishing' button in Outlook to send the email to Microsoft automatically
- Forward the message to [email protected]
- Report to the Anti-Phishing Working Group at [email protected]
- File a report with the FTC at reportfraud.ftc.gov (US) or Action Fraud actionfraud.police.uk (UK)
Frequently asked questions
Can phishing bypass Microsoft's two-factor authentication?
Standard SMS or app-based two-factor authentication can be bypassed by adversary-in-the-middle phishing kits that relay credentials to the real site in real time. Phishing-resistant methods like FIDO2 hardware keys or passkeys cannot be relayed because they are cryptographically bound to the real domain.
How do I check whether my Microsoft account was accessed without my knowledge?
Sign in to myaccount.microsoft.com, then go to Security > Sign-in activity. You will see a log of recent logins including device type, location, and time. Flag anything you do not recognise and change your password immediately.
My company uses Microsoft 365. Should I tell my IT team even if I only clicked the link but did not enter my password?
Yes. Even clicking a phishing link can be significant — some AiTM kits can steal session cookies without requiring a password entry. Alert your IT or security team immediately so they can investigate and take protective action.