Microsoft is the most impersonated brand in phishing attacks worldwide, accounting for over 30% of all brand phishing attempts. The reason is simple: nearly every business uses Microsoft 365, so a fake Microsoft email has a high probability of reaching someone who actually has a Microsoft account.
What These Attacks Look Like
The emails are convincing. They use Microsoft’s logo, color scheme, and formatting. Common pretexts include password expiration warnings, shared document notifications from OneDrive or SharePoint, voicemail transcripts, and security alerts about suspicious sign-in activity.
The landing pages are even more convincing. Attackers clone the Microsoft 365 login page pixel by pixel. When an employee enters their credentials, the attacker captures them in real time and uses them to log into the actual Microsoft 365 account, often within minutes.
Why MFA Alone Isn’t Enough Anymore
Multi-factor authentication stops most automated credential attacks, but sophisticated phishing now bypasses it. Adversary-in-the-middle (AiTM) attacks use proxy servers that sit between the victim and the real Microsoft login page. The victim enters their credentials and MFA code, both of which pass through the attacker’s proxy to the real Microsoft site. The attacker captures the session token and gains full access.
This doesn’t mean MFA is useless. It still blocks the vast majority of attacks. But it means your defense strategy needs additional layers beyond just enabling MFA.
How to Spot a Fake Microsoft Email
Train your team to check these things before clicking any link in a Microsoft-themed email:
- Sender address: Microsoft sends from domains like @microsoft.com and @accountprotection.microsoft.com. Anything else is fake.
- Link destination: Hover over any link before clicking. The URL should go to microsoft.com, login.microsoftonline.com, or office.com. If it goes anywhere else, it’s phishing.
- Urgency and threats: “Your account will be locked in 24 hours” is a pressure tactic. Microsoft doesn’t lock accounts for not clicking email links.
- Generic greeting: “Dear User” or “Dear Customer” instead of your actual name is a red flag.
Protecting Your Business
Deploy advanced email filtering that specifically detects brand impersonation attempts. Microsoft Defender for Office 365 includes anti-phishing policies that catch many of these, but third-party solutions like Proofpoint or Mimecast add additional detection layers.
Consider phishing-resistant MFA methods like hardware security keys (FIDO2) or Windows Hello for Business. These methods are immune to AiTM proxy attacks because the authentication is tied to the specific website domain.
Most importantly, run regular phishing simulations. We send simulated Microsoft phishing emails to our clients’ employees monthly. The results consistently show that regular training reduces click rates from 30%+ down to under 5% within six months.
