Fake Microsoft IT Helpdesk Credential Scam
Scammers pose as corporate IT helpdesks running on Microsoft 365, sending phishing emails or Teams messages that instruct employees to 're-verify' their credentials through a fake portal before a supposed account migration or security audit.
Part of: Fake IT Helpdesk Credential Scams
Last reviewed: 8 June 2026
Many organisations use Microsoft 365 for email and internal communications, and employees are accustomed to receiving IT announcements via email or Microsoft Teams. Genuine IT helpdesk requests from Microsoft never come from personal or external domains and never ask employees to enter their full password on an external page.
Attackers study a target company's branding and IT communication style — sometimes gleaned from LinkedIn or public job postings — and send messages that are nearly indistinguishable from internal IT notices. The objective is to collect valid Active Directory or Azure AD credentials that can be used to access the corporate network.
These attacks are particularly dangerous because a single set of corporate credentials can unlock email, SharePoint, financial systems, HR portals, and VPN access.
How this scam works on the Microsoft brand
An employee receives a Teams message or email from what appears to be the company's IT helpdesk, stating that all Microsoft 365 accounts must complete a mandatory security verification before an upcoming system migration on a specific date. A blue 'Verify My Account' button links to a page styled to match the company's intranet or Microsoft's own sign-in flow.
The page harvests the employee's username, password, and often the current MFA token via a reverse-proxy tool such as Evilginx or Modlishka, allowing the attacker to complete authentication in real time and gain access before the victim notices.
In smaller organisations the attacker may call the victim directly, impersonating an IT contractor, to walk them through the 'verification' process — a vishing technique that significantly increases the success rate of the credential theft.
Common red flags
- The IT notice arrives from an external email address or a Teams account not in the company directory.
- You are asked to enter your full password on any website — corporate IT resets passwords rather than asking you to confirm the existing one.
- The verification page URL is not the company's own domain or login.microsoftonline.com.
- The notice uses vague urgency ('Your account will be suspended in 24 hours') rather than a scheduled maintenance window communicated through official channels.
- An unsolicited caller claims to be IT support and asks for your password or MFA code.
- The Microsoft Teams message comes from an account with a profile picture but no prior message history with you.
How to protect yourself
- Verify any IT security request by calling the helpdesk on a number from your company's internal directory — not one provided in the message.
- Never enter your corporate password on any page other than your company's official single-sign-on portal or login.microsoftonline.com.
- Register a hardware security key (FIDO2) as your MFA method, which resists real-time phishing relay attacks.
- Report the suspicious message to your actual IT security team before taking any action.
- If you submitted credentials, notify IT immediately so they can force a password reset and review the audit logs.
How to report it
- Report internally to your IT security or SOC team immediately.
- Forward the phishing email to [email protected] and report the URL to Microsoft.
- US organisations can report to CISA at cisa.gov/report.
- UK organisations can report to the NCSC at ncsc.gov.uk/section/about-this-website/report-scam-website.
Frequently asked questions
Will my company's IT team ever ask for my password?
Legitimate IT administrators never need your password — they have administrative tools to manage accounts without it. Any request for your password, even from apparent colleagues, is a red flag.
What is a real-time phishing relay attack?
The attacker's fake login page acts as a man-in-the-middle: it forwards your credentials to the real Microsoft login page in real time, including your MFA code, completing sign-in before you realise anything is wrong. This bypasses standard one-time-password MFA.
How does a hardware security key stop these attacks?
FIDO2 security keys cryptographically bind authentication to the specific domain you are visiting. A relay attack that sends your response to a different domain cannot use it, so the attacker's login attempt fails even if they have your password.