Microsoft Scam Emails

How to Spot Microsoft Scam Emails

Microsoft is one of the most-impersonated brands in business email phishing. The high-volume targets are Microsoft 365 / Outlook account holders (consumer and SMB), with secondary targeting of OneDrive, Teams, and Microsoft Authenticator users. Microsoft Defender threat-intelligence data over multiple years has consistently shown Microsoft impersonation in the top three phishing brands worldwide.

Real Microsoft email rules

• Sender domain. Real Microsoft emails come from Microsoft-owned domains: @microsoft.com, @accountprotection.microsoft.com, @email.microsoft.com, @email.microsoftonline.com, and a small number of others. Anything else is fake.
• Greeting. Real Microsoft addresses you by your registered display name, not "Dear User" or "Dear Customer".
• Action links. Real Microsoft account-related links go to subdomains of microsoft.com, microsoftonline.com, or live.com. Anything pointing to microsoft-secure.help, ms-login-verify.com, or similar is fake.
• Verification flow. Real account verification always works by logging in to your Microsoft account at account.microsoft.com and following prompts inside the account — never by following a link from an email to a separate "verification page".

The Five Microsoft Scam Patterns

1. The "your account has been compromised" alert

Email warns of a sign-in from an unfamiliar location (often referencing a real city for plausibility) and asks you to "verify your identity to secure the account". The link goes to a fake login page that captures your credentials. Once captured, the attacker has access to your email, OneDrive, and any linked services.

2. The fake billing failure

Email claims your Microsoft 365 subscription payment failed and your services will be suspended in 24 hours unless you "update payment method now". The fake update page captures full card details. Real billing-failure notifications direct you to log in to account.microsoft.com to update payment, where you authenticate normally.

3. The fake Teams or OneDrive share notification

Email pretends a colleague has shared a Teams document or OneDrive file with you and asks you to "click to view". The "view" link harvests your Microsoft 365 password — or worse, includes a malicious OAuth consent prompt that grants the attacker persistent access to your account even after you change your password.

4. The fake security-code request

Phone or email asks you to read out a "security code Microsoft just sent to verify your account". The code is a real 2FA code — the attacker has triggered a password reset on your account and is asking you to approve it. Microsoft never asks for security codes by phone or email; the codes are for you to enter on the legitimate Microsoft site only.

5. The fake tech-support call

Cold call (or pop-up that triggers a call-back number) claims to be Microsoft support warning of a virus on your computer. The "support technician" walks you through installing remote-access software (TeamViewer, AnyDesk, Quick Assist) and then either steals data or extorts payment to "fix" the non-existent virus. Microsoft does not cold-call users about computer problems — ever.

The Microsoft Verification Rule

The single rule that defeats every Microsoft scam: never click a link in a Microsoft-branded email or follow instructions from a Microsoft-branded phone call. Instead, type account.microsoft.com into your browser yourself and log in. Real account alerts, billing issues, and security warnings will be visible there. If nothing matches the email or call, the contact is fraudulent.

What to Do With a Suspected Microsoft Scam

1. Don't click any link. Don't call any number from the message. Don't install any software the "support technician" recommends.
2. Forward suspicious emails to phish@office365.microsoft.com — Microsoft's dedicated phishing reporting address. The Defender threat-intelligence team uses these reports to take down impersonating infrastructure.
3. In Outlook, use the built-in "Report" button (Report → Phishing). This reports directly to Microsoft and helps protect other Outlook users.
4. Forward to report@phishing.gov.uk as well — NCSC's Suspicious Email Reporting Service.
5. Block the sender in your email client.
6. Verify your account state by logging in directly at account.microsoft.com.

If You Clicked the Link or Entered Credentials

1. Change your Microsoft password immediately via account.microsoft.com (not via any link in the suspect email).
2. Enable two-step verification if you don't already — ideally via the Microsoft Authenticator app rather than SMS.
3. Review active sessions and connected devices at account.microsoft.com → Security → Sign-in activity. Sign out of any device you don't recognise.
4. Review OAuth-connected apps at account.microsoft.com → Privacy → Apps and services. Remove any app you don't recognise — this is critical because malicious OAuth grants survive password changes.
5. If you installed remote-access software, uninstall it immediately, run a full antivirus scan, and consider professional malware-removal help if your device handles sensitive data.
6. If banking details were exposed, call your bank's fraud line. Change passwords on any other account that uses the same password as your Microsoft account.
7. File a Report Fraud complaint at reportfraud.police.uk if money was lost or significant data was compromised.

Additional Resources

• Report Fraud - Report scams to UK authorities
• NCSC Phishing Advice - UK Cyber Security Centre
• ScamWise - Government scam awareness
• Which? Scams - Consumer scam alerts

Protect Your Data with VPN

Use NordVPN to encrypt your connection when accessing sensitive accounts online, protecting your data from interception.

Affiliate disclosure: as a NordVPN partner, ScamSupport may earn a commission if you sign up via this link — this doesn't change our recommendation or the price you pay. Full affiliate policy →