26
Phishing emails are the number one way attackers break into Microsoft 365 accounts. They are designed to look legitimate — sometimes almost perfectly. This article teaches you how to spot them, what to do when you receive one, and what to do if you already clicked something.
|
🔴 The one rule: When in doubt, don't click. It costs nothing to report an email that turns out to be real. It costs everything to click a link that wasn't. |
Part 1: How to Spot a Phishing Email
Phishing emails try to create urgency, fear, or curiosity to make you act before you think. Here are the most common red flags — most phishing emails contain more than one:
|
🚩 Red Flag |
What to look for |
Example |
|
Urgency / pressure |
Language designed to make you act fast without thinking - threats of account suspension, legal action, or missed deadlines |
"Your account will be deleted in 24 hours if you don't verify now" |
|
Sender address mismatch |
The display name looks right but the actual email address is wrong or slightly off |
Display: Microsoft Support - Actual: [email protected] |
|
Suspicious links |
The link text says one thing but the actual URL goes somewhere else. Hover (don't click) to see the real destination |
Button says 'Sign in to Microsoft' but URL shows login.microsoft.com.phish.ru |
|
Unexpected attachment |
You weren't expecting a file, especially an .exe, .zip, .docm, or .xlsm |
"Please review the attached invoice" from an unknown sender |
|
Request for credentials |
Any email asking you to confirm, verify, or re-enter your username and password |
"Your session has expired. Enter your password to continue." |
|
Generic greeting |
Legitimate company emails use your name - phishing emails often don't |
"Dear Valued Customer" or "Dear User" instead of your actual name |
|
Poor spelling / grammar |
Unusual phrasing, odd capitalization, or broken English - though sophisticated attacks are increasingly well-written |
"We has detected unusual activitys on you account" |
|
Spoofed internal sender |
An email that appears to be from your CEO, manager, or IT team asking for unusual action |
"Hi, this is Paul Porter! Can you buy $500 in gift cards urgently?" |
|
💡 The hover trick: In Outlook, hover your mouse over any link without clicking it. The real destination URL will appear in a small popup or in the status bar at the bottom of the screen. If the URL looks unfamiliar, misspelled, or has an unusual domain extension (.ru, .xyz, .click), do not click it. |
Part 2: Real-World Phishing Examples Targeting Microsoft 365 Users
These are patterns that commonly target Microsoft 365 users specifically - be especially alert to these:
The Fake Microsoft Sign-In Page
|
What it looks like: An email claiming your Microsoft account needs verification, your password is about to expire, or your storage is full. The link takes you to a page that looks exactly like the Microsoft sign-in page - but it's a fake designed to steal your credentials. How to spot it: Check the URL in your browser address bar. Legitimate Microsoft sign-in pages always use login.microsoftonline.com or login.microsoft.com - nothing else. |
The Fake Shared File Notification
|
What it looks like: An email that mimics a OneDrive or SharePoint sharing notification - "[Person's name] has shared a document with you" - with a button to view the file. The email looks like a real Microsoft notification but the link goes to a fake sign-in page or downloads malware. How to spot it: Real sharing notifications come from [email protected] or sharepointonline.com. If the sender address is different, or you weren't expecting a share from that person, contact them directly via Teams or phone to verify before clicking. |
The CEO / Executive Impersonation
|
What it looks like: An email that appears to come from your CEO, owner, or a senior manager asking you to do something urgently - wire money, buy gift cards, or share employee information. The display name matches, but the actual email address is an external Gmail or similar account. How to spot it: Always verify unusual financial or sensitive requests by calling or messaging the person directly via Teams - not by replying to the email. No legitimate executive will be upset that you verified. |
The MFA Fatigue Attack
|
What it looks like: You receive a flood of MFA approval requests on your phone that you didn't initiate. The attacker already has your password and is hoping you'll eventually tap Approve just to make the notifications stop. What to do: Deny all requests. Change your password immediately at aka.ms/sspr. Contact IT — this is an active attack on your account. |
Part 3: What to Do When You Get a Suspicious Email
|
DO |
DON'T |
|
✅ Trust your gut - if something feels off, it probably is |
❌ Click any link in an email you weren't expecting |
|
✅ Hover over links to preview the real destination URL before clicking |
❌ Open attachments from unknown senders |
|
✅ Report the email using the Report Message button in Outlook |
❌ Reply to the email - even to say 'remove me from your list' |
|
✅ Contact the sender by a different method (phone, Teams) to verify if unsure |
❌ Forward the email to coworkers - you could spread the threat |
|
✅ Delete the email after reporting it |
❌ Approve an MFA request you didn't initiate |
|
✅ Notify IT immediately if you clicked anything or entered credentials |
❌ Assume IT already knows about it — they need you to report it |
How to report it using the Report Message button
- In Outlook (desktop or web), select the suspicious email - don't open it if you haven't already.
- Look for the Report Message button in the Outlook toolbar at the top. It may be under the three-dot menu (More actions) if not immediately visible.
- Click Report Message → Phishing.
- Outlook will send a copy to Microsoft and to your IT security team automatically, then move the email to your Deleted Items.
|
📷 Video cue: Show selecting an email in Outlook, locating the Report Message button in the toolbar, selecting Phishing, and the confirmation message. Show both the desktop and web versions if possible. |
|
💡 Can't find the Report Message button? It may not be installed yet. Contact IT — they can enable the Microsoft Report Message add-in for your account. In the meantime, forward the suspicious email as an attachment to IT. |
Part 4: "I Already Clicked the Link" - What to Do Right Now
First: don't panic, and don't close everything or turn off your computer. Act fast but calmly. Here is the exact sequence to follow:
|
|
Action |
When |
|
🔴 |
Contact IT Help Desk - do not wait |
Immediately |
|
🟢 |
Disconnect from the company network or wifi |
Immediately |
|
🔴 |
Do NOT turn off your computer - IT may need to examine it |
Immediately |
|
🟢 |
Change your Microsoft 365 password via aka.ms/sspr |
Right after contacting IT |
|
🟡 |
Change the password on any other account where you use the same password |
Right after |
|
🟡 |
Review your recent sign-in activity at aka.ms/mysecurityinfo |
Right after |
|
🟡 |
Report the email using the Report Message button in Outlook (if not already done) |
Right after |
|
🟢 |
Monitor your email for any unusual sent messages or auto-reply rules you didn't set |
Over the next few days |
|
🔴 If you entered your password on a suspicious page: Your account should be considered compromised until IT confirms otherwise. Contact IT immediately, before changing your password, so they can check sign-in logs and revoke any active sessions the attacker may already have. |
Part 5: Staying Sharp - Good Habits That Prevent Phishing
- Be skeptical of urgency. Legitimate systems do not threaten you with account deletion in 24 hours. Take a breath before clicking anything that creates pressure.
- Verify unusual requests out of band. If a request seems unusual, even from someone you know, confirm it via a phone call or Teams message before acting. Email accounts get compromised.
- Never enter your work password on a page you reached via an email link. Type the address directly into your browser instead (e.g. outlook.office.com, not a link in an email).
- Keep your authenticator app active and your phone secure. MFA stops most phishing attacks even if your password is stolen, but only if your phone is protected with a PIN or biometric lock.
- Never approve an MFA request you didn't initiate. Deny it, then change your password and contact IT.
- Report everything suspicious, even if you're not sure. A false alarm is far better than a missed attack. IT would rather check ten emails that turn out to be fine than miss one that isn't.
|
✅ Remember: You are the last line of defense. Technical filters catch most phishing emails, but sophisticated attacks get through. A single moment of caution — hovering over a link, picking up the phone to verify, clicking Report Message — can prevent a serious security incident for the whole organization. |
|
🛟 Need to report an incident? Contact the IT Help Desk immediately. If you clicked a link or entered credentials, treat this as urgent — do not wait. |
