Over the past several months, we have seen a noticeable increase in phishing attempts targeting Microsoft 365 accounts. These are not the poorly worded messages from unfamiliar senders that most people have learned to distrust. They are polished, they use real Microsoft branding, and the fake sign-in pages they lead to are nearly identical to the real ones.
A few clients have forwarded these to us recently. It is worth explaining how they work, because understanding the mechanics makes them easier to recognize.
How these attacks work
The email typically looks like a legitimate Microsoft security alert. It might say that your account showed unusual sign-in activity, that your password is about to expire, or that you need to verify your identity to keep access. The urgency feels real enough that it prompts action without much thought.
The link goes to a page that looks exactly like the Microsoft sign-in portal — same layout, same logo, same color scheme. When you enter your credentials, they go directly to the attacker. Some of these attacks use a real-time proxy setup that captures your username, password, and MFA code simultaneously, using them immediately before the code expires. Even with multi-factor authentication turned on, the timing can be tight enough for them to get through.
Once inside, the account is used quickly. Attackers typically set up email forwarding rules so they keep receiving messages even after a password change, scan for financial information or internal communications, and send phishing messages to your contacts from a now-trusted address.
What actually helps
Multi-factor authentication still provides significant protection and should be turned on for every account. The real-time proxy attacks that can defeat it are more sophisticated than standard credential theft and considerably less common.
A stronger defense against this specific type of attack is phishing-resistant authentication. Microsoft Authenticator’s number matching feature requires you to confirm a number shown on your screen inside the app — something a proxy cannot replicate. Hardware security keys go further, binding authentication to the specific domain you are logging into, so a fake site receives nothing usable.
On the filtering side, email security tools that analyze links at the moment they are clicked — rather than only at delivery — catch a meaningful percentage of these before any damage is done. Microsoft Defender for Business includes this capability and needs to be configured correctly to work.
No technical control eliminates this risk entirely. When someone on your team receives an urgent message asking them to log in somewhere, taking a few seconds to look at the actual URL in the browser before entering anything is a habit worth building. The real Microsoft sign-in address is login.microsoftonline.com. Anything else — regardless of how the page looks — is worth treating with suspicion.
If any of this feels familiar, we can take a quick look at your setup and tell you what is actually worth fixing.