Office 365 Phishing: How It Happens

Office 365 is a subscription many people are familiar with. With a whole suite of easy-to-use programs, what’s not to like about it? Even iOS users find themselves using this handy tool.

But its popularity may also be its downfall. With over 60 million active commercial customers, Office 365 is a scammer’s gold mine. This becomes a question of when, not if, cybercriminals will try to breach your organization’s defenses.

Find out how Office 365 phishing happens and what your company can do to fend off attempts.

By pretending to be a non-delivery email

Cybercriminals are very talented at masquerading as trusted names. Office 365 phishing attacks often disguise themselves as Microsoft itself. You’ll get a convincing email saying that your message couldn’t be delivered.

When you click on the “send again” link, it’ll take you to a spoofed Office 365 login site. Once you enter your username and password, the scammers will receive your login details, which they can try on other sites to hijack your accounts.

What’s so ingenious about this scam is most people don’t even realize they’ve been duped. After they log in, a JavaScript function sends the credentials to the cybercriminal, then redirects you to the actual Outlook login page.

MORE : Phishing Email Example

protect from phishing
protect yourself from phishing

By circumventing Office 365 anti-phishing measures

Office 365 Advanced Threat Protection works by comparing links inside emails to known malicious sites. If they match, then the emails are blocked. But if no links initially shared inside the email are harmful, then ATP lets them through.

What cybercriminals are doing now is linking to legitimate files, such as SharePoint documents. This successfully bypasses ATP’s security measures. The actual malicious links sit within the documents.

Once you open them, a spoofed login page pops up, requiring you to log in. Since the page doesn’t seem out of the ordinary, most users then enter their username and password.

Be wary of phishing attempts

Just because Office 365 has built-in security doesn’t mean you should let your guard down.

Although office 365 anti-phishing does a decent job at blocking phishing attempts, cybercriminals are continually thinking up new ways to exploit vulnerabilities in the system.

By staying vigilant, you and your employees can fend off attacks. Some key things to practice are:


  • Double-checking email addresses (don’t rely solely on the display name)
  • Avoiding clicking on any links
  • Avoid opening any attachments
  • Looking for obvious spelling and grammar mistakes
  • Checking for corporate signatures
  • Alerting your security officer about suspicious emails
protection from phishing attacks
protect against phishing

Up your email security for Office 365

Now that you’ve seen how cybercriminals can attack your organization, you need to implement better security for Office 365, in addition to better employee awareness. One way to do so is to install office 365 phishing protection software. This works great coupled with your existing antivirus program and Office 365 ATP. With three types of Office 365 protection, your business can deter scammers much more easily.

Enterprise-class email protection without the enterprise price

For flexible per-user pricing, PhishProtection’s integrated email security solution protects your employees from business email compromise (BEC) and many other email threats. 24×7. On any device. With features you’d expect in more expensive solutions:

All Plans Come With

  • Stops business email compromise (BEC)
  • Stops brand forgery emails
  • Stop threatening emails before they reach the inbox
  • Continuous link checking
  • Real-time website scanning
  • Real time alerts to users and administrators
  • Protection with settings you control
  • Protection against zero day vulnerabilities
  • Complete situational awareness from web-based console

Join 7500+ Organizations that use Phish Protection

Phish Protection works with System Administrators, IT Professionals and IT Executives in thousands of companies worldwide. Sign up and protect your organization from phishing attacks in less than 5 minutes