Fake Microsoft Unusual Sign-In Alert Account Takeover
Scammers replicate Microsoft's genuine unusual-sign-in alert emails to direct recipients to a fake login page that captures credentials and live MFA codes for immediate account takeover.
Part of: Account Takeover Scams
Last reviewed: 7 June 2026
Microsoft's genuine account security system sends alerts when a sign-in is detected from a new device, unfamiliar location, or unusual pattern. These alerts are a real security feature that millions of users have encountered. Scammers exploit familiarity with this format by creating convincing replicas.
The fake alert describes a specific-sounding sign-in event: a device type, an operating system, and a location that sounds unfamiliar. This specificity makes the alert feel genuine and important. The recipient, believing their account is under active attack, is primed to act immediately.
Adversary-in-the-middle phishing kits can relay the attack in real time — capturing the password and live MFA code and using them to create an authenticated session for the attacker while the victim is still on the phishing page.
How this scam works on the Microsoft brand
Microsoft's real unusual-sign-in alert comes from [email protected] and directs users to mysignins.microsoft.com to review and approve or deny the sign-in. Crucially, the legitimate email does not take you to a password entry page — it links to your already-authenticated account sign-in activity view.
Fake alerts replicate this format closely with a convincing device description and a plausible foreign location. The 'Review Activity' button links to a phishing page at a domain such as account-microsoft-security[.]com. After entering credentials, the fake page presents a multi-factor authentication prompt in real time, relaying the exchange to the actual Microsoft login portal.
Once the attacker has an authenticated Microsoft session, they may add a new recovery email, configure a persistent OAuth app, or set up inbox rules to hide their activity — all before the victim realises the sign-in alert was fraudulent.
Common red flags
- Security alert sender is not [email protected]
- 'Review Activity' button leads to a domain other than mysignins.microsoft.com
- The page asks you to re-enter your Microsoft password rather than linking to your already-signed-in account view
- After credentials, you are immediately asked for an MFA code — a sign of a live relay attack
- Hovering over links shows 'microsoft' as part of a non-microsoft.com domain
- No corresponding sign-in event appears at mysignins.microsoft.com when you check directly
How to protect yourself
- Go directly to mysignins.microsoft.com in a new browser window rather than using email links
- Use phishing-resistant MFA such as FIDO2 hardware keys — these cannot be relayed by AiTM attacks
- Enable Microsoft Defender for Office 365 Safe Links to scan email URLs at click time
- Set up Conditional Access policies requiring compliant devices for Microsoft 365 sign-ins
- Revoke all active sessions at myaccount.microsoft.com/security if you believe your account was accessed
How to report it
- Use Outlook's 'Report phishing' button to send the email to Microsoft automatically
- Forward the email to [email protected]
- Report to the FTC at reportfraud.ftc.gov (US) or Action Fraud actionfraud.police.uk (UK)
- If a work Microsoft 365 account was compromised, inform your IT security team immediately
Frequently asked questions
How does Microsoft's real unusual-sign-in alert work?
Microsoft sends a genuine alert from [email protected] when it detects a suspicious sign-in. The email links to mysignins.microsoft.com where you can see your sign-in history and confirm or deny activity. The alert does not require you to re-enter your password.
What is an adversary-in-the-middle (AiTM) phishing attack?
An AiTM attack uses a phishing page that relays your credentials and MFA code to the genuine Microsoft server in real time, logging in on your behalf and capturing your authenticated session cookie. This bypasses standard MFA without needing to know your code in advance.
If an attacker has my Microsoft session token, is changing my password enough?
Changing your password invalidates the password but may not revoke existing sessions. Also sign out of all sessions at myaccount.microsoft.com/security > Sign-in activity, and review new OAuth applications or email forwarding rules that may have been added during the attacker's session.