Microsoft 365 "messages held" email scam: the fake quarantine notice that steals your login
An email dressed as a Microsoft 365 or Outlook security notice warns that several messages are "held" or "quarantined" and will be deleted unless you release them. The "Review held messages" button opens a fake Microsoft sign-in page that captures your password, and in the sharper attacks the session that gets you past multi-factor authentication. Here is how to know it is fake in seconds, without clicking the button or typing a single character.
Verdict: a Microsoft 365 "messages held" email with a release link is almost always phishing
An email styled as a Microsoft 365 or Outlook security notice that says a number of messages are "held," "quarantined," or "pending review" and will be deleted unless you click "Review held messages" or "Release messages" is almost always a phishing scam. The button opens a pixel-perfect fake Microsoft sign-in page that harvests your password, and in the more advanced kits the live session cookie too, which lets an attacker walk straight past your multi-factor authentication. A genuine quarantine notice is generated by your own organisation's Microsoft Defender, and its links stay inside your own account and portal. Do not click the button. Check for held mail only by opening office.com or outlook.com yourself and signing in there.
The Brief
Microsoft is the single most-impersonated brand in phishing. Check Point's Q1 2026 Brand Phishing Report ranked it first, ahead of Apple and Google, at roughly a fifth of all brand-impersonation attempts, because a Microsoft 365 login is the master key to a person's email, files, and calendar. The "messages held" wave leans on that. The message looks like a routine mail-security notice, says a batch of your messages is waiting for review, and gives you a single button to release them before they are purged. That button is the whole attack. It leads to a counterfeit Microsoft sign-in page, and the moment you type your password you have handed it over. The rule that beats it is the same one that beats a fake DocuSign document email: never sign in through a link in a message, only by opening the service yourself.
What the fake "messages held" notice looks like
The subject line sets the hook with a number and a deadline. "18 Messages Held." "Important Mail pending, action required." "You have quarantined messages awaiting release." Some versions come from a display name like "E-messages Delivery," "Mail Security," or "Microsoft 365 Compliance," styled with the Office logo and a tidy blue header. The body says something like "18 messages are waiting for your review" and warns that they will be deleted if you do not act. Then it offers one button: "Review held messages," "Release messages," or "Review now."
Click it and you land on a page that looks exactly like the Microsoft sign-in screen. The realism is deliberate. In the campaigns security vendor MailGuard documented in 2026, the attackers pre-fill your email address in the URL so the login feels personal, and the page even prints your own browser and operating system back at you ("Linux, Firefox") as fake reassurance that Microsoft "recognises your device." Enter your password and the trap tightens. Some kits show an "attempts remaining" counter, flashing "2 attempt(s) left" with a countdown to pressure you into trying again. After the final "attempt," the page quietly redirects you to the real Office 365 login, so you assume you simply mistyped your password, log in normally, and never realise the first page stole it.
The most dangerous versions do not stop at your password. An adversary-in-the-middle (AiTM) kit sits between you and the real Microsoft server as a live proxy. It passes your password and your multi-factor code through to Microsoft in real time, then steals the session cookie Microsoft hands back. That cookie is a valid, already-authenticated session, so the attacker slips past MFA entirely and gets into your mailbox without needing your code again. Off-the-shelf kits have turned this into a point-and-click operation, which is why "messages held" pages have spread so fast.
The tell is the address bar. A real Microsoft sign-in only ever happens on login.microsoftonline.com. The release links in these emails go nowhere near it. They point to lookalikes such as m365-mail-release[.]top, office365-quarantine[.]live, or outlook-held-messages[.]shop (illustrative examples, not real Microsoft domains). The word "microsoft," "m365," "office365," or "outlook" is glued to "release," "quarantine," or "held," or parked on a cheap ending like .top, .live, or .shop that Microsoft would never use for a login. If the sign-in page is on anything other than login.microsoftonline.com, it is a fake, no matter how perfect the pixels are.
Test that "release messages" link before you click
Got an email with a Microsoft 365 "messages held" or "quarantine" button and not sure about it? Paste the link below before you click. Our 3-layer engine (Local + APIs + AI) returns a verdict in about 3 seconds. Free, no signup.
How a real Microsoft 365 quarantine notice actually works
Microsoft 365 does hold suspicious or spam messages in quarantine, so the concept is not invented. But a genuine notice behaves nothing like the scam. Quarantine is a feature of your own organisation's Microsoft Defender for Office 365, configured by your IT or admin team, not a service that emails random people out of the blue. When a real quarantine notification arrives, its "Review message" and "Release" links open your tenant's own Microsoft quarantine portal at security.microsoft.com, where you are already signed in. They do not throw you a fresh password prompt on an outside website.
Three things separate the real notice from the fake. First, the real one comes from within your own organisation's mail security, so if you have no company email security team, an unexpected "quarantine" notice is a red flag on its own. Second, a real notice never needs you to re-enter your password on a page you reached by clicking a link. Third, the destination is a Microsoft-owned domain (security.microsoft.com, and any actual sign-in only at login.microsoftonline.com), never a lookalike. When in doubt, ignore the buttons entirely and check your own quarantine by opening office.com and going to Microsoft 365 Defender yourself. For the broader pattern of fake Microsoft logins, our guide on how to spot a Microsoft phishing email covers the other lures using the same trick.
The 30-second check: sign in only at office.com, never through the email
This is the whole answer, and it works whether the message is a flawless fake or the rare genuine notice, because it never trusts the email.
- Do not click the button. Do not open the release page, do not enter anything. Nothing real is lost by pausing.
- Look at where the button actually goes. Hover the "Review held messages" link (long-press on mobile). If the destination is anything other than login.microsoftonline.com or a Microsoft-owned domain, it is fake. A sign-in page on a .top, .live, .shop, or hyphenated "microsoft" domain is the giveaway.
- Open office.com or outlook.com yourself. Type it in the address bar or use a bookmark. Do not use any link from the message. If you truly have quarantined mail, you will see it in Defender inside your own account.
- Never re-enter your password on a page you reached from an email. Real Microsoft prompts for a fresh login inside a session you started, not after clicking an emailed button.
- If there is nothing held in your real account, it was phishing. Delete the email. There are no messages waiting, and nothing will be deleted.
That is the same rule that beats the whole category, from a Chase bank phishing email to a Microsoft device-code phishing attack: judge it on the real, official site you open yourself, never on the message that reached out to you.
Red flags that mark it as phishing
- A sign-in page that is not on login.microsoftonline.com. This is the single clearest tell. A hyphenated "microsoft" or "office365" domain, or a page on .top, .live, or .shop, is fake even if the layout is perfect.
- An unexpected "quarantine" or "messages held" notice. If your organisation has no mail-security team that would send one, the notice itself is the warning.
- A deadline and a threat of deletion. "Release within 24 hours or your messages will be permanently deleted." Urgency exists to stop you checking on the real site.
- An "attempts remaining" counter on the login. Microsoft does not flash "2 attempts left" with a countdown. That is a pressure trick unique to the phishing kit.
- Your email pre-filled and your device "recognised." A page that already knows your address and prints your browser and OS back at you is mimicking trust, not proving it.
- A generic or odd sender. "E-messages Delivery," "Mail Security," or a display name reading "Microsoft" over an address that is not a Microsoft or your own company domain.
- A redirect to the real login after you "fail." Being bounced to the genuine Office 365 page after a wrong "attempt" is the scam covering its tracks so you blame yourself.
What to do if you clicked the link or entered your password
Move fast. With an AiTM kit, a stolen session can be abused within minutes, so speed is what limits the damage.
- Change your Microsoft password now. Do it by going to office.com or account.microsoft.com directly, not through any link in the email. If it is a work account and you cannot reach it, call your IT help desk immediately.
- Sign out of all sessions and revoke active tokens. In your Microsoft account security settings, sign out everywhere. For a work account, ask IT to revoke your sessions and refresh tokens, because a stolen session cookie stays valid until it is revoked, even after you change the password.
- Re-check and re-register multi-factor authentication. Confirm no new phone number, authenticator, or app password was added. Attackers add their own MFA method to keep access. Remove anything you do not recognise and turn MFA on if it was off.
- Check your mailbox rules and forwarding. Attackers often add a hidden rule that auto-forwards or deletes mail to hide their activity. Delete any rule or forwarding address you did not create.
- Tell your IT or security team. For a work or school account this is the most important step. They can hunt for suspicious logins, revoke sessions tenant-wide, and warn colleagues before the attacker uses your mailbox to phish them.
- Reset that password anywhere you reused it, and give every account its own unique password.
How to report a Microsoft 365 phishing email
- Report it to Microsoft. Use the "Report" or "Report Message" option in Outlook to send it to Microsoft as phishing, which also helps train the filters that catch the next wave.
- Tell your IT or security team. In a company, forwarding the message to your internal security or abuse mailbox lets them block the sender and the domain for everyone.
- Report the scam to the FTC at reportfraud.ftc.gov. This feeds US enforcement and consumer-alert data.
- In the US, report to the FBI Internet Crime Complaint Center at ic3.gov if you lost money or had an account taken over.
- Delete the message after reporting. Do not click anything on the way out.
How SafeBrowz blocks this threat
SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.
- Layer 1 - Local detection: 60+ URL pattern signatures plus a 550+ brand database (Microsoft included) plus Cyrillic and Punycode homograph checks, all running inside the extension before the page renders. The fake release page wears the Microsoft brand but sits on a domain that is not microsoft.com or microsoftonline.com, and it pairs that brand with a credential-harvest login form and deletion-deadline urgency. Reading a page's brand against the domain it actually loads on is exactly how the engine separates the real login.microsoftonline.com from an impostor, and it flags the impersonation before the sign-in form is usable.
- Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus and ScamAdviser feeds plus 30+ scam-TLD lists to flag domains already reported as malicious, which covers many "release your held messages" pages as they are reported.
- Layer 3 - AI deep scan (Premium): 100+ language content analysis catches brand-new lookalike pages in seconds, including a fresh Microsoft 365 quarantine clone that copies the real styling but sits on the wrong domain and asks for a password behind a fake "attempts remaining" timer.
Honest scope: SafeBrowz flags and blocks the phishing sign-in page before it loads, so the "enter your password to release your messages" step never reaches you. It reads the page you are about to open, not your inbox, so it cannot delete the email itself, and it cannot undo a password already typed on a page you visited without it. Pair the extension with one habit: sign in to Microsoft only by opening office.com yourself, never through a button in an email.
Detection signatures come from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.
Where browser-layer defense fits
The email is the lure, but the theft happens on the page. That release link is where victims are pushed to type a Microsoft password into a counterfeit login, and where an AiTM kit quietly grabs the session that beats MFA. Browser-layer scanning catches that step. When a Microsoft-styled sign-in renders on a domain that is not login.microsoftonline.com, a brand-aware scanner flags the impersonation before the form is usable. SafeBrowz is a free extension for Chrome, Firefox and Edge, plus a live Android app (Safari coming soon), that checks every URL before it renders against a 550+ brand database. Install SafeBrowz and pair it with the one rule that beats this whole category: reach Microsoft only by typing office.com yourself, and never sign in through a link in a message. If you want the deeper checks, our breakdown of AI-generated phishing emails explains why these fakes look so convincing now, and the FBI warning about Microsoft 365 phishing kits shows how organised this has become.
Install SafeBrowz free
Add the browser extension, or the SafeBrowz Android app, that runs every link check in this article automatically, on every page, before it renders. Free forever, with optional Premium AI deep scan at $14.99 per year.
Add to Chrome
Add to Firefox
Add to Edge
Get it on Google Play
Frequently asked questions
Is the Microsoft 365 "messages held" email real?
Almost never. An email that says a batch of your messages is "held," "quarantined," or "pending review" and gives you a button to release them before they are deleted is a phishing scam in the overwhelming majority of cases. The button opens a fake Microsoft sign-in page that steals your password. A genuine quarantine notice is generated by your own organisation's Microsoft Defender, and its links open your own account, never a fresh password prompt on an outside website. Check for held mail only by opening office.com yourself and signing in.
How can I tell the "messages held" email is a fake Microsoft message?
Look at where the button goes and where the sign-in page loads. A real Microsoft login only ever happens on login.microsoftonline.com. If the "Review held messages" link points to a hyphenated "microsoft" or "office365" domain, or a page on .top, .live, or .shop, it is fake. Other tells: an unexpected quarantine notice when your organisation has no mail-security team, a deletion deadline, an "attempts remaining" counter on the login, your email pre-filled, and your browser and device "recognised" as fake reassurance.
Can this scam get past my multi-factor authentication?
Yes, the more advanced versions can. An adversary-in-the-middle kit acts as a live proxy between you and the real Microsoft server, passing your password and MFA code through in real time, then stealing the session cookie Microsoft issues afterwards. That cookie is an already-authenticated session, so the attacker gets into your mailbox without needing your code again. This is why the safest move is never to sign in through an emailed link, and why revoking active sessions matters if you think you were caught.
I entered my password on the "release messages" page. What now?
Change your Microsoft password immediately by going to office.com or account.microsoft.com directly, not through the email. Then sign out of all sessions and, for a work account, ask IT to revoke your sessions and tokens, because a stolen session cookie stays valid until it is revoked. Re-check your multi-factor settings and remove any method you did not add, delete any mailbox forwarding rule you did not create, and tell your IT or security team so they can hunt for suspicious logins.
Does Microsoft 365 really quarantine messages?
Yes. Microsoft Defender for Office 365 holds spam and suspicious messages in quarantine, configured by your organisation's IT or admin team. But a genuine notification behaves nothing like the scam: its links open your own tenant's quarantine portal at security.microsoft.com where you are already signed in, it never asks you to re-enter your password on an outside page, and any real sign-in only happens on login.microsoftonline.com. Review your own quarantine by opening office.com yourself, not by clicking a button in an unexpected email.
Why is Microsoft impersonated so often in phishing?
Because a single Microsoft 365 login unlocks a person's email, files, calendar, and often their whole workplace, which makes it the most valuable credential an attacker can steal. Check Point's Q1 2026 Brand Phishing Report ranked Microsoft the most-impersonated brand, ahead of Apple and Google. That is exactly why "messages held," device-code, and fake-login lures keep appearing, and why the one habit of signing in only at office.com yourself is worth building.
Related SafeBrowz coverage
- How to spot a Microsoft phishing email
- Microsoft device-code phishing: the login-approval trap explained
- FBI warning on the Kali365 Microsoft 365 phishing kit
- DocuSign phishing scam email: how to spot the fake document
- AI-generated phishing emails: why the fakes look real now
- Chase bank phishing email scam: how to spot the fake alert
Bottom line: the Microsoft 365 "messages held" email is a phishing scam that steals your password and, in the worst kits, the session that beats your MFA. Real Microsoft quarantine notices come from your own organisation's Defender and never ask you to sign in on an outside page, and a real Microsoft login only ever loads on login.microsoftonline.com. Do not click the release button, and check for held mail only by opening office.com yourself. Put SafeBrowz on your browser so the fake sign-in page never loads, and pair it with the habit of signing in to Microsoft only by opening the site yourself.