Deepfake Voice Microsoft IT Helpdesk Credential Scam
Criminals use AI-synthesised voices to impersonate Microsoft IT helpdesk staff, calling employees to resolve a fabricated account or security issue and extracting Microsoft 365 credentials or multi-factor authentication codes during the call.
Part of: Fake IT Helpdesk Credential Scams
Last reviewed: 8 June 2026
Many organisations rely on Microsoft Azure Active Directory and Microsoft 365 for identity management, and employees regularly interact with internal IT helpdesks that manage these accounts. An AI-generated voice calling from a spoofed internal extension or an apparent Microsoft support number can be extremely convincing in this context.
The attack typically targets employees of mid-to-large organisations whose IT team structures are known or guessable. The AI voice adopts the cadence of a professional IT support interaction, references the employee's Microsoft account email, and describes a plausible issue — a conditional access policy violation, an MFA re-enrolment requirement, or a licence assignment problem.
The call ends with a request for the employee to confirm a code that was 'just sent to your phone' or to provide their current password 'for our records during the migration'. Both requests harvest credentials that give the attacker access to the organisation's Microsoft 365 environment.
How this scam works on the Microsoft brand
Microsoft's own IT support processes for enterprise customers follow documented procedures through the Microsoft admin portal. Legitimate internal IT helpdesks use ticketing systems and do not request current passwords over the phone — they reset passwords if needed through approved tooling.
The deepfake call references Microsoft-specific details: the employee's email domain, the organisation's Azure tenant name (sometimes discoverable from public Microsoft documentation), and the specific Microsoft product the fabricated issue relates to. This specificity, combined with the AI voice's professional delivery, bypasses the usual suspicion that an unsolicited technical call generates.
If the employee provides an MFA code, the attacker uses it in a real-time phishing relay to complete a login to the Microsoft 365 tenant. They then move laterally through SharePoint, email, and Teams to achieve their objective — whether data exfiltration, financial fraud, or ransomware deployment.
Common red flags
- An unexpected call from 'Microsoft IT' or 'your company's helpdesk' references a security issue you were not aware of.
- The voice sounds professional but has slight rhythm irregularities or unnatural pauses.
- The caller asks for your current Microsoft 365 password — legitimate IT staff reset passwords rather than asking for them.
- You are asked to provide a code that just arrived on your phone 'for account verification' — this is a real-time MFA intercept attempt.
- The caller ID shows an internal extension number you cannot verify independently.
- The request bypasses your normal IT ticketing system — you are asked to act immediately without logging a ticket.
How to protect yourself
- Establish a clear policy in your organisation: IT staff do not ask for current passwords or MFA codes over the phone.
- Verify any unsolicited helpdesk call by hanging up and calling back through your organisation's official IT support number.
- Use phishing-resistant MFA such as hardware FIDO2 keys for Microsoft 365 accounts — these cannot be relayed in real time.
- Enable Microsoft Entra ID's Conditional Access and risky sign-in detection to flag unusual login behaviour.
- Never provide a multi-factor authentication code to an inbound caller, regardless of how legitimate the context sounds.
- Report the call to your internal IT security team so they can assess whether other employees have been targeted.
How to report it
- Report the scam call to your internal security team and to Microsoft at microsoft.com/en-us/security.
- Report phishing emails related to the call to [email protected].
- Report to the FTC at ReportFraud.ftc.gov (US) or Action Fraud at actionfraud.police.uk (UK).
- If credentials were provided and the account was compromised, follow your organisation's incident response procedure and engage Microsoft Support at support.microsoft.com.
Frequently asked questions
Why would IT helpdesk staff ever need my current password?
They would not. Legitimate IT staff reset passwords through administrative tools — they never need to know your current password. Any caller claiming to need your current password for any reason should be treated as a social engineering attempt.
Can an AI voice imitate a specific person I know from my IT team?
With sufficient audio samples, AI voice cloning can imitate a specific person convincingly. However, attackers usually use generic professional-sounding voices rather than cloning a specific individual, relying on the context (official call, Microsoft branding) to create trust.
What is a real-time MFA intercept and how does it work?
In a real-time relay, the attacker triggers a real Microsoft login attempt using your username and password while you are on the call. Microsoft sends you an MFA code. The attacker asks you to read it out 'for verification'. They immediately enter it on the real Microsoft login page, completing the login before the code expires.