But what if that email isn’t actually from Microsoft?
Cybercriminals often exploit trusted brands to deceive people, and currently, Microsoft is the most impersonated company in the world for phishing scams. Recent research indicates that 36% of brand-related phishing attacks in early 2025 were made to appear as if they were from Microsoft. That's a significant number.
Following Microsoft, Google and Apple are also frequently impersonated. Together, these three tech giants account for more than half of all phishing scams.
So, what's happening? More importantly, how can you protect your business?
First, let’s briefly discuss what phishing is.
Phishing occurs when a criminal sends you a fraudulent email, text, or message that looks like it’s from a legitimate company you know and trust. The goal is to persuade you to click on a link, open a malicious attachment, or provide sensitive information like passwords, credit card numbers, or even your full identity. The consequences can be severe: stolen money, hacked systems, confidential data breaches, and a great deal of trouble for your business.
The worst part is that phishing emails are becoming increasingly sophisticated. There's less bad spelling and suspicious-looking links. Scammers imitate real company logos, create fake websites that look identical to the real ones, and even spoof email addresses to make it seem like the message is genuinely coming from Microsoft, Google, or Apple.
Recently, researchers discovered a rise in phishing attacks pretending to be from Mastercard, with fake websites tricking individuals into entering their card details. This is a troubling trend that highlights how cybercriminals constantly devise new ways to catch people off guard.
So, how can you determine if an email from Microsoft is authentic or a dangerous fake?
The key is to slow down and remain vigilant. Genuine emails from companies like Microsoft will never pressure you with urgent language like, “Click this link immediately, or your account will be locked.” Such phrasing is a major red flag.
Always scrutinise the sender’s email address closely. At first glance, it may appear legitimate, but a closer inspection could reveal subtle changes, such as “micros0ft.com” instead of “microsoft.com.” Cybercriminals depend on you not noticing these small details.
Additionally, avoid clicking on links from emails you’re unsure about. If you have doubts, it’s safer to type the official website address directly into your browser.
Being cautious might feel inconvenient at times, but it’s a far better option than dealing with the aftermath of a cyberattack.
Phishing scams will only become more convincing. That’s why it’s crucial to:
- Stay alert
- Invest in effective cybersecurity tools
- Utilise smart protections such as multi-factor authentication (which requires two forms of identification to log in, not just a password)
Remember: the more trusted the brand, the bigger the target it becomes for scammers. That email that appears to be from Microsoft? It might just be a wolf in sheep’s clothing.
We can help you and your team stay better protected and more vigilant against phishing scams like these.
Get in touch with us.
Previous Blog Posts and Updates
Have you ever felt like just when you’ve nailed your cyber security – BAM! – something new comes along to throw a spanner in the works? That’s exactly what’s happening right now. There’s a new scam doing the rounds. And it’s catching out businesses just like yours. The worst part? Cyber criminals don’t even need your password. Scary… It’s called device code phishing. It’s a clever trick that’s becoming more and more popular. Microsoft recently flagged a wave of these attacks, and we’re likely to see many more. This one’s different to the usual phishing scams you’ve probably heard about. Normally, phishing is all about tricking people into giving away their usernames and passwords on fake websites. But with device code phishing, scammers play a smarter game. Instead of stealing your password, they get you to voluntarily give them access to your account. And they do it using real Microsoft login pages, so it looks totally legit. It usually starts with a convincing email. Maybe it looks like it’s from your HR person, or a colleague, inviting you to a Microsoft Teams meeting. You click the link, and it takes you to a real Microsoft login screen. Nothing seems out of place. You’re asked to enter a code. Just a short one, called a “device code.” This code is supplied in the email, and you’re told it’s needed to join the meeting or finish logging in. Here’s the catch: By entering that code, you’re not logging yourself in… you’re logging them in. You’re unknowingly giving the attacker access to your Microsoft account on their device. And because the login goes through the proper channels, it can even bypass multi-factor authentication (MFA). Yep, even if you’ve got extra security in place, they might still get in. Once they’re in, they can do a lot of damage. Reading your emails, accessing your files, even using your account to trick others in your company. It’s like handing over the keys to your office and you don’t even realise it. It’s dangerous because it doesn’t look suspicious. You’re on a real Microsoft site, not some suspicious fake. You didn’t click a weird link or enter your password into a phishing form. Everything looks above board… except it’s not. And because attackers are using legitimate Microsoft login flows, traditional security tools don’t always catch it. Plus, once they’re in, they can stay in. They don’t need to keep logging in if they’ve captured your session token (that’s a sort of digital "pass" that keeps you logged in behind the scenes). So even changing your password won’t necessarily kick them out right away. A big question then: How can you protect your business? Start by getting your team to be extra cautious with login requests. Especially ones that involve entering codes. If you get a device code from someone, stop and think: Did I request this? Do I know for sure this is real? If you’re not sure, don’t go through with it. Use a separate method, like a direct phone call or your company’s messaging system, to double-check with the person who sent the email. Remember, real Microsoft logins don’t involve someone else giving you a code to enter. If that ever happens, it’s a red flag. From a technical side, your IT team (or IT provider) can also tighten things up. If your business doesn’t need device code login as part of its daily operations, it’s safest to turn it off altogether. They can also put in place extra security rules that only allow logins from trusted locations or devices. And finally, keep training your people. Good cyber security is about awareness. If your team knows what to look out for, they’re much less likely to fall for these kinds of tricks. Can we help you tighten up your security? Get in touch.
The faster your employees report a potential cyber security issue, the less damage is done to your business. But how can you encourage quick reporting? Check our latest blog for some solid ideas.
You’re wasting your time on annual cyber security training. Why? Because it’s simply not cutting it anymore. Check out our blof and discover a better plan here.
Bad news: Cyber attacks are faster than ever before. If you don’t take the right precautions your business could become a victim in the blink of an eye.
Microsoft’s made another update to Windows 11, and while it’s a small one, it could make a big impact. We have all the details of what’s changing. Check our latest blog post.
Windows PCs running slowly? It doesn’t necessarily mean it’s time to replace them. There are some other ways you can give things a boost. We’ll tell you how in our latest blog post.
Microsoft’s Edge browser has an amazing new search feature that we think is a total game changer, and the most compelling reason yet to switch. We have all the details.
Cyber criminals are targeting businesses of all sizes, all the time. And new research shows just how they’re doing it. We tell you how to stay protected.
Microsoft plans to charge for updates to Windows 10 starting next year (2025). We tell you your three options… and which we recommend.
Unlike its name suggests, the blue screen of death doesn’t always mean the worst for your computer. However, it can still be a frustrating issue to solve, especially if you’re not well-versed in troubleshooting. Whether you’re a seasoned computer user or a novice, understanding the BSOD is essential for maintaining a healthy and functional PC. Keep reading to learn what causes the blue screen of death and how you can fix it.