Make sure an email link is real not phishing, why does Microsoft makes it easier for criminals?

There’s a simple trick to ensure that an email is real, not a phishing trick to get your personal information.  But Microsoft makes it easy for phishing attacks to pretend that are the real thing..

Hover over a link in an Outlook email to see the real url that you’ll visit if you click.

Look carefully at the domain name, right after the https:// .  It should be the domain name of the legitimate company.  For example, all the links in the Office Watch and Office for Mere Mortals newsletters use  .  The ‘’ part means you know it’s from us.

Outlook shows the full email link in a tooltip when you hover the mouse pointer.

Ignore all the stuff after the domain name.  Anything after the third  /  character is data sent to the web server, it doesn’t indicate the real domain owner. has been recommending this simple trick for many, many years.

Use the best known domain

Ideally, all messages from a company use their main, popularly known domain.  It’s a protection for the company and reassuring to customers.

Google and AirBnb do that, among many.  Here’s examples from recent emails that use their main domain name.

But not Microsoft

Guess who doesn’t bother … yup, Microsoft.  The company assures us (endlessly) that they give customer security their highest priority but they don’t bother with a simple protection against phishing.

Here’s the link from a real Office 365 email about file deletion. It’s a type of email that’s commonly used by criminals to try getting your Microsoft account login.

The domain you’re linking to is  which isn’t obviously a Microsoft domain and might not be.

.MS is the top level domain for the island of Montserrat, not Microsoft though the company does rent some .ms domains ( is a common one). IS a Microsoft owned domain, but you must do a WhoIs domain ownership search to check that.  We did that but regular Microsoft customers should not need to bother.

Using a browser to or even the full domain (used in Microsoft’s email above) is no help.  At the least, Microsoft could put up a simple web page explaining their ownership of the domain and it’s use.

There’s nothing to stop someone registering a .ms domain name and we’ve done it!

Anyone can use .MS Top level domain and to prove it, we’ve registered OfficeWatch.MS  it redirects to our main site.

Nothing to do with Microsoft, but unwary people might not realize that.  Anyone can register a .ms domain and use it to fake Microsoft emails and links.

What must Microsoft do?

They should dump these obscure domain names in emails and use clear subdomains.

Instead of  Microsoft should use  that’s a simple DNS mapping that would take seconds to do and perhaps a few minutes to sync across global DNS servers.

Shortlinks … why bother in emails

Microsoft is probably using  .ms to make shorter web links but short links aren’t necessary in emails.  Their domain links aren’t that short with the long sub-domain name and unnecessary port suffix (port 443 is the default for https).

On social media like Twitter, short links have a place. Like many companies, has it’s own short domain  for our Twitter and Facebook posts.

But they aren’t needed in emails.  Email readers either click on links or, at worst, copy/paste a link.

Excel ‘system delay’ phishing trick
A different type of Office 365 phishing scam – by voicemail
Office 365 is #1 – for phishing and scamming