Scammers exploiting Microsoft business notifications to launch attacks

Microsoft 365 is at the heart of modern business, but with its popularity comes risk - especially from scammers looking to exploit busy teams and outdated systems.

In recent months, we’ve seen a sharp rise in phishing emails, fake renewal notices, and even fake refund calls pretending to be from Microsoft. For small and mid-sized businesses, these scams can lead to downtime, lost data, or even financial loss.

Here’s what you need to know - and how to stay protected.

A genuine Microsoft email with a nasty surprise inside

The attack kicks off with a legitimate email in which Microsoft thanks the recipient for purchasing a Microsoft 365 Apps for Business subscription. The email does, in fact, arrive from the Redmond tech giant’s legitimate address: microsoft-noreply@microsoft.com. One would be hard-pressed to imagine an email address with a more trusted reputation, so the message easily gets past any email server filters.

The contents match a typical purchase confirmation. In the screenshot below, the company thanks the recipient for buying 55 Microsoft 365 Apps for Business subscriptions worth a total of $587.95.

The crux of the scam lies in the text attackers add to the Billing information section. Typically, this section contains the subscriber company’s name and the billing address. However, the scammers swap out that information for their own phone number, plus a note encouraging the recipient to call “Microsoft” if they need any assistance. The types of “purchased” subscriptions suggest that the scammers are targeting company employees.

They prey on a common employee fear: making an expensive, unnecessary purchase could cause trouble at work. And since resolving the issue by email isn’t an option (the message comes from a no-reply address), the victim is left with little choice but to call the phone number provided.

Who answers the calls, and what happens next?

If the victim takes the bait and decides to call to inquire about the subscriptions they’ve supposedly purchased, the scammers deploy social engineering tricks.

A Reddit user, who’d received a similar email and called the number, shared their experience. According to the victim, the person who answered the call insisted on installing some support software, and sent an EXE file. The subsequent conversation suggests that the file contained a RAT of some kind.

The victim didn’t suspect anything was amiss until the scammer promised to refund money to their bank account. That was a red flag, as they shouldn’t have had access to the victim’s banking details. The scammer went on to ask the victim to sign in to their online banking to check if the transaction had gone through.

The victim believes that the software installed on their computer was malware that would have allowed the attackers to intercept their login credentials. Fortunately, they recognised the danger early enough and hung up.

Clue to look out for:

• Urgent language like “Your subscription has expired!”

• Non-Microsoft email domains

• Links that don’t go to microsoft.com

How to protect yourself against such attacks

Malicious actors keep finding new loopholes in well-known, perfectly legitimate services to use for phishing campaigns and scams. That’s why, to keep an organisation secure, you need not only technical protections but also administrative controls. Here’s what we recommend:

Enable Multi-Factor Authentication (MFA)

This one’s a must. MFA blocks over 99% of account breach attempts - even if your password is compromised.

Train Your Team to Spot Threats

Train your employees to spot potential threats early. This process can be automated with learning tools like Sophos Phish Threat that simulates hundreds of realistic and challenging phishing attacks in just a few clicks to teach employees what to look out for.

Monitor Microsoft 365 Activity

Set up alerts for suspicious login attempts, impossible travel events, or logins from unexpected countries.

Partner with a Managed IT Provider

We keep an eye on your systems 24/7, ensuring suspicious behaviour is caught before it becomes a crisis. Plus, we help manage your Microsoft 365 licences, so you never fall for dodgy third-party renewal emails.

Microsoft 365 might be powerful, but it’s not immune to human error or targeted scams. If you’re unsure about how secure your setup really is - or you’ve had a few near misses - it might be time for a quick chat.

Want a free Microsoft 365 security check-up?

Get in touch with our friendly team and we’ll help you review your setup, no obligation.