Phishing Microsoft

45% of credential hacking attacks are Phishing Microsoft Accounts.

Let’s put this in perspective. According to the 2020 Data Breach Report, Phishing attacks make up nearly 80% of all successful cyber attacks in North America. Phishing is the most significant cyber threat to big businesses, small businesses, and individuals. 22% of data breaches in 2020 involved phishing attacks, and that number is expected to rise in 2021. On top of this, 83% of phishing attacks involve brand impersonation.

Here are some other notable stats:

  • $17,700 is lost every minute due to phishing attacks
  • Data breaches cost an average of $3.92 million
  • 97% of users are unable to recognize a sophisticated phishing email
  • 30% of phishing emails are opened, and 12% click on malicious links
  • 85% of all organizations in the world have been hit by a phishing attack at least once
  • There were more than 60,000 phishing websites reported in March 2020

Taking all of that into account, it is fair to say that your Microsoft Accounts are under attack.

Phishing Microsoft


Why Microsoft Accounts?

More and more organizations, especially small businesses, are moving to Office 365. Between their productivity (Word, Excel, etc.), document management (OneDrive, Sharepoint, etc.), and communication (Outlook, Teams, etc.) software, Microsoft offers a suite of services at affordable prices that are tailored to fit many needs. Whether or not you are a fan of Microsoft, their business model is popular and effective.

phishing microsoftThe thing is, just like small business owners, hackers are looking for the biggest bang for their buck. A phishing website costs $3-$12 to put up. An email list can be purchased on the dark web for around $200. Phishing email build kits sell for around $50. They are spending money to make money, so it makes sense that they want to catch as many people as possible when they are ready to cast their net. Targeting Microsoft credentials can potentially provide them with information to sell – validated credentials fetch a high price on the dark web – and could give them undetected access to network and data information.

Typically, catching one person makes back the initial investment. As we noted above, 30% of phishing emails are opened, and 12% click on malicious links. In the United States alone, there were 651,200 companies using O365. It really is just a numbers game for them.

Phishing Lures

Microsoft Phishing attacks take many forms, from the simple to the complex. Some of the more successful are:

  • Emailed link claiming that Mary wants to share a file with you that asks for you to login when you click on it – credentials stolen
  • An eFax link takes you to a fake 0365 login page when you click on it – credentials stolen
  • A pretend automated message saying that you missed a Teams chat that asks for you to login when you click on it – credentials stolen

And even if you are not currently a Microsoft user, they can still target you. Since they have such a visible name brand with many products and logos that are easy to imitate, we see lures that promise coupons, demos, special pricing, and other such offers. Clicking on them will almost certainly infect your device with malware including: keyloggers, ransomware, and tools that allow them to bypass security.

Staying Safe

The single most effective tool against all kinds of phishing is Security Awareness Training! No matter how elaborate the phishing lure might be, there are always tells. Whether it is the email address, language used, format, manufactured sense of urgency, or other such indicator, users who know what to look for are much less likely to fall for the scam. We discuss Phishing a great deal specifically for this reason.

And it’s working.

Almost 70% of users are actively aware of phishing attacks, and about 15% of them are reporting phishing attacks to their security teams. That is way up from 15% awareness and 1.2% reporting only three years ago.

The problem is that it only takes 1 person to click on a malicious link to expose credentials, infect a network with ransomware, or – worse – cause a data breach. For that reason, security professionals also recommend:

  • Activating 2FA (2 Factor Authentication) on every account that supports it
  • Always use a passphrase instead of a password; they are longer and more secure
  • Run security updates as soon as they are available
  • Make sure your antivirus program is active and updated
  • Be suspicious of any requests for personal information
  • Don’t click on links; manually go to the website or make a phone call
  • Don’t get drawn in by demands for urgency; take a breath and check their legitimacy

With hackers growing more advanced, attacks are only going to increase in number and complexity. If you have a Microsoft account at home or work, you are a target. Of course, you are also a target if you use: Google, Amazon, Facebook, Netflix, Apple, any financial services, commerce services, educational services, government services – the list goes on and on and on.

phishing microsoft

So far as hackers are concerned, we are all targets, and awareness is the defense that is most likely to keep us safe.


5 2 votes
Article Rating
Notify of
Inline Feedbacks
View all comments