Microsoft phishing emails: 7 ways to spot them (2026 edition)

What a real Microsoft email looks like

Before you can spot a fake, you need to know what the real thing looks like. Genuine Microsoft emails share a handful of traits that have stayed consistent for years.

The sender address always comes from a Microsoft-owned domain. The most common ones are @microsoft.com, @email.microsoft.com, @accountprotection.microsoft.com, and @microsoftonline.com. Never a hyphenated lookalike, never a .net or .xyz version, never a subdomain that ends somewhere else.

The typography is formal and consistent. Microsoft uses Segoe UI across its products. Spacing is tight, logos are crisp, and the layout does not shift between paragraphs. There is no screaming urgency, no all-caps subject lines, and no countdown timers.

Password reset emails only arrive if you actually requested one. Security alerts direct you to sign in to your account page, not to click a button inside the email. Attachments for account issues are effectively nonexistent. Microsoft will not send you a DOCX or HTML file and ask you to open it to "verify" anything.

Sign #1: The sender domain is @outlook-support.com, not @microsoft.com

This is the single fastest check. Look at the full sender address, not just the display name. The display name can say anything. Attackers write "Microsoft Account Team" in the From field, but the real email address sits behind it and tells the truth.

Common tricks you will see in 2026:

• outlook-support.com (the real domain is outlook.com, no hyphen)
• microsoft-security.net (real uses .com, not .net)
• microsoft-teams.net or teams-microsoft.com
• office365-login.com, office-365.xyz
• accountprotection-microsoft.com (real is the other way around)
• no-reply@outlook.support (new TLDs get abused first)

In Outlook desktop, click the sender name to expand the full address. In Gmail web, click the small arrow under the sender to open full headers. On mobile, tap and hold the sender name. If the email is from @microsoft-account-service.io or anything similar, delete it.

Sign #2: "Your account will be locked in 24 hours"

Microsoft does not suspend accounts in 24 hours by email threat. Real security notifications read more like "we detected a sign-in from a new location, if that was not you, secure your account here." Fakes read like "IMMEDIATE ACTION REQUIRED: your Microsoft 365 subscription has been suspended due to unusual activity. Verify within 24 hours or permanent closure will occur."

Urgency is the oldest trick in phishing because it works. A racing clock pushes people to click before they think. Any Microsoft email that combines a deadline, a scary consequence, and a big blue button pointing somewhere outside microsoft.com is a phish until proven otherwise.

If you are worried an alert might be real, close the email and go to account.microsoft.com directly. Type it into your browser yourself. Sign in. Any real security events will be waiting for you on the Security tab. If nothing is there, the email was fake.

Sign #3: Password reset you never requested

If a password reset email shows up and you did not click "forgot password," treat it as hostile. The two realistic explanations are both bad for you. Either someone is trying to break into your account and a real reset code was sent, or the email is fully fake and the link leads to a credential trap.

Either way, do not click the reset link in the email. Open a new browser tab and go to account.microsoft.com. Sign in. Head to Security, then Sign-in activity. You will see every recent attempt, the IP address, the country, and whether it succeeded. If you see attempts you did not make, change your password from that trusted browser and turn on two-factor authentication if it is not already on.

Do not enter the reset code from a suspicious email into anything. Attackers also send follow-up texts or calls pretending to be Microsoft support asking for that code. That is how account takeovers happen.

Sign #4: Attachments in "account security" emails

Microsoft never sends attachments to resolve account issues. Not a DOCX to "verify your account." Not a PDF to "review recent activity." Not an HTML file to "confirm identity." Not a ZIP containing an invoice to unlock Teams.

HTML attachments are especially dangerous. Attackers send them because email filters often let them through, and when you open one, it renders a full fake Microsoft login page inside your browser. The URL bar shows a local file path, which makes it feel trusted. Everything you type gets posted to the attacker's server.

If a Microsoft-branded email arrives with any attachment about your account, security, login, or subscription, that alone is enough to delete it. The only legitimate Microsoft attachments you will ever see are invoices for paid services, and even then, the invoice is usually a link to your billing page, not a file.

Sign #5: The HTML looks slightly off

Attackers steal Microsoft email templates, but they rarely get every detail right. Once you know what to look for, a fake Microsoft email jumps out.

Logo pixelation is a common giveaway. The Microsoft four-square logo is a vector in real emails, so it stays crisp at any size. Fakes often use a JPG copy that looks fuzzy, especially on a retina or 4K screen. Sometimes the colors of the four squares are slightly off, a muddy red instead of the proper Microsoft red.

Fonts are another tell. Real Microsoft emails use Segoe UI with a fallback to Arial. Fakes sometimes hardcode Times New Roman or Helvetica, which looks wrong next to a Microsoft logo. Button alignment is usually off by 2 or 3 pixels. The call-to-action button sits slightly too far left or right. Gradient colors on buttons are close but not identical to the real brand blue.

Open a genuine Microsoft email in another tab and put them side by side. The fake reveals itself within seconds.

Sign #6: Links do not point to microsoft.com domains

Before you click any link in a Microsoft email, hover over it. In desktop email clients, the real destination appears in the bottom-left corner of your browser window or in a tooltip near the cursor. On mobile, tap and hold the link to see a preview without opening it.

Real Microsoft links end in a small set of known domains:

• login.microsoftonline.com
• login.live.com
• account.microsoft.com
• portal.office.com and portal.azure.com
• teams.microsoft.com, outlook.live.com, onedrive.live.com

Fakes use almost-but-not-quite domains. microsoft-login-verify.com, office365-support.xyz, login-microsoft.online, teams-invite.app, microsoftonline-verify.com. Any domain that adds words like "verify," "support," "secure," or "confirm" around Microsoft is almost always hostile. Real Microsoft does not need those words, it owns the name.

If the link goes through a URL shortener like bit.ly, t.co, or tinyurl, treat it as unsafe regardless of what the email says. Microsoft does not shorten its own links in official communications. For more on this, see how to tell if a website is a scam.

Sign #7: Grammar and translation errors

Not just typos. Attackers run phishing campaigns in many languages and machine translate the templates into English. That produces sentences that feel a quarter-turn off. Native English speakers notice it instantly, even if they cannot always explain why.

Examples you will see:

• "Please to verify your account immediately."
• "Your Microsoft teams Account has been limited." (inconsistent capitalization)
• "We has noticed unusual sign-in attempt on your account."
• "Kindly confirm the below information." (regional English phrasing)
• "Failure of which your account will be blocked permanent."

Microsoft employs copywriters and runs every customer email through review. Real emails are grammatically clean, consistent in tone, and never use phrases like "kindly do the needful" or "failure to comply will result in." If the email reads like it was translated from another language by software, it was.

What to do if you clicked the link

Clicking the link alone is not the end of the world. Most phishing pages need you to enter credentials before any real damage is done. Close the tab right away. Do not type anything into the page.

Run a quick antivirus scan on your machine. Windows Defender is fine for this, or your existing security tool. Some phishing pages also try to load malicious JavaScript or push "click to verify" browser notifications. See our ClickFix protection guide for the fake CAPTCHA attack that often follows Microsoft phishing.

Then go directly to account.microsoft.com, sign in, and check the Sign-in activity page. Look for anything you do not recognize. If everything looks normal, you are likely fine. Change your password anyway if you are not 100 percent sure you did not type it somewhere. Peace of mind is worth five minutes.

What to do if you entered your password

Move fast. The attacker may already be inside your account. Here is the order that matters:

1. Change your password from a trusted device by going directly to account.microsoft.com. Use a new password you have not used anywhere else.
2. Turn on or reset multi-factor authentication. If MFA is already on, reset it in case the attacker enrolled their own device.
3. Revoke all active sessions. Under Security, there is a "sign me out everywhere" option. Use it. This kicks the attacker out even if they stole a session token.
4. Check for forwarding rules. This is the step almost everyone misses. Attackers add an auto-forward rule to your Outlook so every new email also goes to them silently. Open Outlook settings, go to Mail, then Forwarding, and delete anything you did not set up. Also check Inbox rules for any rule that moves messages to Deleted Items or RSS.
5. Review recent account activity for documents downloaded, emails sent, or payment methods added.
6. Change the same password anywhere else you used it. If your Microsoft password was also your bank password, your banking is at risk. Rotate everything.

If your work account was phished, tell your IT team immediately. Do not wait. The faster they can disable sessions across the tenant, the less damage.

Enabling phishing-resistant 2FA on your Microsoft account

Not all two-factor methods are equal against phishing. Here is the ranking for 2026:

1. Security key (YubiKey, Google Titan, Feitian). Phishing-resistant by design. The key verifies the domain before signing in, so a fake microsoft-login.com page cannot trick it.
2. Microsoft Authenticator with number matching. Good. You type a number from the sign-in page into the app, which stops most push-bombing attacks.
3. Passkeys. Now supported on Microsoft accounts. Use them if you are comfortable with them.
4. SMS codes. Last resort. Better than nothing but vulnerable to SIM-swap attacks.

Set it up at account.microsoft.com/security. Click Advanced security options, then add a security key or authenticator app. Takes about 3 minutes and blocks almost every phishing attempt cold.