Skip to content

Office 365 is #1 - for phishing and scamming

Office 365 is the most popular target for phishing and scamming.  A new record that you won’t find mentioned in all the hype about Office as a service.

Vade Secure reports that Office 365 is the #1 target for criminals trying to get your password and login details.  Microsoft has held the top spot for the last year, beating out the usual ‘winners’ like Paypal.

It’s not getting any better.  After the usual Xmas/New Year lull, phishing attempts against Office 365 rose to peak in early March 2019.

Hackers love to gain access to Office 365 accounts hosted by Microsoft.  It’s a single login that gives the criminals access to an organizations documents and emails.  Perhaps trick people with fake invoices or get other staff to reveal their passwords?

With more organizations switching to Office 365 to host their email and documents, it becomes an increasingly juicy target for criminals.

The scams work by send emails which trick people into using a fake Microsoft login page. The page looks and acts just like the real thing. Hackers even import resources from the real Microsoft site to make the page complete.  The emails might even come appear to come from real Microsoft addresses like [email protected]

After someone has typed their login details into the fake site, they often redirect people to the real Microsoft Office 365 web site so they don’t realize anything is wrong.

The hackers quickly use the email and password to login to the Office 365 account and cause trouble.

Not just Office 365 hosting

While hosted Office 365 is the biggest target for criminals, they’ll make use of any Office 365,, Hotmail or other login.

Any account is a prize for a criminal hacker.  For example, getting into someone’s account lets criminals do identity theft, steal from accounts, send phishing emails to your contacts and more.

There’s not a lot Microsoft or any other target (like Paypal, Netflix, Facebook, Google etc) can do about phishing.  They should offer Two-factor Authentication and organizations should at least encourage it’s use or make it compulsory as the US Government recommends.

What can you do?

Regular users know what we’re going to say because we’ve been saying it for years.

Two-factor Authentication prevents most, if not all, phishing attempts. Even if you’re fooled into giving away login and password to a fake site, the criminals can’t get into your account because they don’t have the extra time-limited factor or code.

Check the real web link of any incoming email.   Outlook for Windows and Mac makes that easy, just hover your mouse pointer over any link to reveal the real url (as opposed to what’s visible in the email).

Make sure the primary domain name in the link is correct, in this case .

About this author

Office Watch is the independent source of Microsoft Office news, tips and help since 1996. Don't miss our famous free newsletter.