Fake Microsoft Teams Notification Phishing
Fraudulent emails styled as Microsoft Teams message alerts direct recipients to a fake Teams sign-in page that captures Microsoft 365 credentials, often as the first step in a targeted business email compromise attack.
Part of: Phishing
Last reviewed: 7 June 2026
Microsoft Teams became central to workplace communication for millions of organisations after a rapid adoption surge, and the Teams notification email is now one of the most common corporate email formats. Because employees expect these notifications and are conditioned to act on them quickly, they are a prime vehicle for phishing campaigns targeting corporate credentials.
A fake Teams notification often claims a colleague has sent an urgent message or shared a file that requires immediate attention. The professional context — a named colleague, a project-sounding file name — makes the lure highly targeted and effective. These campaigns can be broad and untargeted, or precisely crafted using information scraped from a target company's LinkedIn profile.
Successful credential theft through a Teams phish gives attackers access to the victim's entire Microsoft 365 environment, enabling business email compromise, data theft, and lateral movement through the organisation.
How this scam works on the Microsoft brand
Genuine Microsoft Teams notification emails are sent from [email protected] and link to teams.microsoft.com or the organisation's specific teams URL. The 'Open Microsoft Teams' button in a real notification launches the Teams application already authenticated, not a separate sign-in page.
Fake Teams notifications are often sent from spoofed addresses or domains that include 'microsoft' or 'teams' but are not microsoft.com. The email body replicates Teams' visual style: the Teams logo, the message preview, the sender's display name and initials. The 'Reply in Teams' button links to a phishing page styled as a Microsoft sign-in form.
Some sophisticated versions use HTML attachments that open a local 'Microsoft login' page in the browser, bypassing email URL scanning tools. Others take advantage of real Microsoft infrastructure — such as SharePoint or Microsoft Forms — to host a credential-harvesting page that passes initial domain checks because it is technically a microsoft.com URL.
Common red flags
- The Teams notification email sender is not [email protected]
- The 'Open in Teams' button leads to a login page rather than opening the Teams app directly
- The sign-in URL is not teams.microsoft.com or login.microsoftonline.com
- The message preview refers to an urgent or sensitive matter designed to provoke immediate action
- The notification claims to be from a known colleague but your IT team has not communicated any Teams incident
- An HTML attachment opens a 'Microsoft login' page in your browser
How to protect yourself
- Open Microsoft Teams directly from the desktop app or teams.microsoft.com rather than following links in notification emails
- Enable Microsoft Defender for Office 365 Safe Links to scan URLs in emails before they are clicked
- Use phishing-resistant MFA (FIDO2 keys or Windows Hello) for Microsoft 365 accounts
- Enable Microsoft's Conditional Access policies to block sign-ins from unmanaged or unfamiliar devices
- Report suspicious emails to your IT security team immediately using the 'Report phishing' button in Outlook
How to report it
- Use the 'Report phishing' option in Outlook to submit the email to Microsoft automatically
- Forward to [email protected]
- Report to your organisation's IT security team so they can investigate and block the sender domain
- Report to the FTC at reportfraud.ftc.gov (US) or Action Fraud actionfraud.police.uk (UK)
Frequently asked questions
Why does clicking a real Teams notification not require me to sign in?
Real Microsoft Teams notification emails link to the Teams application using a protocol handler, or to teams.microsoft.com where your session is already authenticated via your Microsoft 365 login. If clicking a Teams notification takes you to a sign-in form, this is a red flag that the link is not pointing to the real Microsoft Teams.
Can phishers create a page on a microsoft.com domain?
Attackers can create free-tier accounts on Microsoft services like SharePoint Online, Microsoft Forms, or Azure Static Web Apps and host phishing content on those subdomains. These URLs pass basic domain checks because they technically end in microsoft.com. This is why inspecting the full URL and being suspicious of any page asking for credentials is important.
My organisation received a Teams phishing email targeting multiple employees. What should we do?
Alert your IT security team immediately. They should block the sending domain, investigate whether anyone entered credentials, and check Microsoft 365 sign-in logs for any suspicious access. If credentials were entered, revoke all active sessions for affected accounts and require a password reset.