Advanced phishing

Microsoft 365 email scams to watch out for

by Egress
Published on 25th Nov 2021

The latest statistics show that Microsoft 365 is gaining more users year on year. The MS365 software suite is used by over a million companies worldwide and counts 258 million paid seats globally. Microsoft VP, Jeff Teper, shared a Microsoft Teams update to his Twitter account in April this year, stating that the coworking platform now has 145 million daily active users.

This kind of growth presents an opportunity for cybercriminals looking for a captive market of users to target. There are several Microsoft 365 scams out there you need to be aware of.

Could your business be a target? 

While all businesses could be a target for these types of scams, Microsoft's Detection and Response Team (DART) found that its consumer, financial, healthcare, and manufacturing sectors are targeted the most. Even if you're not in one of these sectors, it's crucial to understand how your business might be at risk and what you can do to protect its data.

It's getting easier for criminals to step into the digital world. Social engineering phishing kits can be purchased on the dark web, and the Crime-as-a-Service (CaaS) industry is ever-growing. Targeting widely used software and collaborative working platforms can be an easy starting point for cybercriminals. With the ability to target millions of users, the more likely it'll be for an attacker to find someone who might fall for a scam.

What scams are specifically targeting Microsoft 365 users?

The spoof 

Phishing emails that spoof legitimate service or update emails from Microsoft can be hard to spot – they are built to avoid traditional filters and have elaborate layers of trickery. Microsoft 365 branding heads the message, and links take you to what looks like the official login portal; perhaps you've been told to update your password or your account details.

This spoofed login portal will record your account credentials and send them directly to the hacker. You may not even realise what's happened as the fake portal may then send you onwards, seamlessly, to the legitimate site.

The voicemail

Another layer to these spoofs might be the system advisory phishing scam. A user might be told they've received a voicemail. The Microsoft logo feels reassuring, and the phone number given seems familiar — perhaps with a local area code. Clicking on the audio file to listen to the message is actually the malicious entry point for ransomware to sneak onto your computer. 

The administrator

While phishing is often random, employees responsible for an enterprise's Microsoft 365 account are particularly susceptible. System administrators are usually highly skilled in cybersecurity and confident of Microsoft's filters. However, sophisticated phishing emails can beat the filters and land in your MS365 administrator's inbox. Unless they can spot that it's not from a legitimate Microsoft sender, they may go on to action the contents of the email. A compromised admin account can then do a lot of damage in the hands of a cybercriminal.

The back door

Microsoft's researchers shared a worrying phishing trend in August this year targeting collaborative workers — the standard for many of us as we enter a hybrid-working age. SharePoint is Microsoft's web-based collaborative platform that fully integrates with Microsoft Office. Fake document links, many with enticing titles such as 'departmental salary index,' take users to a phishing page or login portal with MS365 branding. Using Microsoft's own cloud infrastructure to host these phishing pages is one of the smart workarounds criminals are using to evade detection at system gateway security points.

The subscription

Cybercriminals also target Microsoft 365's home users. Fraudulent phishing emails prompt users to upgrade or renew their subscriptions. The site the link leads them to appears to be legitimate since it features 365 or Microsoft in the domain name and has up-to-date Microsoft branding. By entering payment card details and MS365 account credentials, the victim is exposed to possible malware threats and financial theft.

The reply

Fast-paced industries that rely on employees to take prompt and decisive action are often targeted by familiarity phishing. When colleagues, customers, or suppliers are compromised, there's a chance you could be next. Using a frequent senders list for likely targets, a compromised account can automatically send emails to known contacts, often with a conversational subject header to mimic trust and intimacy. Another tactic is to create a subject that makes the email look like a reply to a thread. The inline content might be asking for an opinion on an attached document or a transfer of funds to a different account. 

When a time-sensitive deadline is thrown into the mix, it naturally appeals to the basic human desires within us all, such as pleasing others. Acting on these emails could open the user and business network up to malware, data loss, and theft.

By spoofing trusted enterprises, mimicking genuine correspondence, and using subtle inline text and domain-name trickery, phishing emails continue to become more sophisticated. While Microsoft 365 has built-in anti-phishing tools, it's wise to add another security layer to protect your business further. Between Egress Defend’s more advanced capabilities and Microsoft 365's native tools, you have a layered approach to email security that can stop even the most sophisticated Microsoft 365 scams.


What are phishing emails in Office 365?

These are emails designed to trick users into clicking on a malicious link, entering their details, or downloading a file. All of which can have serious consequences for a business network. These phishing emails usually target MS365 users' data and private information. 

By appearing to be from trusted enterprises or known senders, often with urgent or enticing calls to action within the message, every one of us could be vulnerable if one of these hits our inbox without intelligent email security.

What does Microsoft do with phishing emails?

Every phishing email reported to Microsoft is analysed. Any extracted data is then used to improve spam filtering technology continually. The more you report, the less likely it is for similar emails to appear in your folder. Reports can be sent via Outlook's 'report message' icon in the toolbar or by sending it as an attachment to

Are there Microsoft scams going on?

Yes, cybercrime is a round-the-clock enterprise. Microsoft's 2021 Digital Defense Report states that it blocked 32 billion email threats over the past 12 months.