Phishing Emails Pretend to be Office 365 ‘File Deletion’ Alerts



A new phishing campaign is underway that pretends to be from the “Office 365 Team” warning recipients that there has been unusual amount of file deletions occurring on their account.

The phishing scam, shown below, pretends to be a warning from the Office 365 service that states a medium-severity alert has been triggered. It then goes on to say that there has been high amount of files deletions occurring in their Office 365 account and that they should review the alerts.

Office 365 Phishing Email

The text of this phishing scam can be read below.

A medium-severity alert has been triggered
Unusual volume of file deletion
Severity: Medium
Time: 05/26/2019 07:36:39 pm (UTC)
Activity: FileDeleted
Details: 15 matched activities in 5 minutes.
View alert details

Thank you,
The Office 365 Team

If you click on the “View alert details” link, you will be brought to a fake Microsoft account login page that prompts you to login. 

Phishing Scam Landing Page

As this page is hosted on Azure, the site is secured with a certificate signed by Microsoft. This adds legitimacy to the scheme by making it appear as a Microsoft-sanctioned URL. Azure is increasingly being used by scammers for this purpose.

Microsoft Certificate

When you enter a password, the email address and password is sent to the web page, which is under the attackers control. This page will save the inputted credentials so that the phisher can retrieve them later.

Sending Stolen Credentials

The landing page will then redirect a victim to the legitimate where they will be prompted to login again.

Legitimate Microsoft Login Page

In the past, we have always advised users to closely examine phishing landing page URLs for suspicious domains. By hosting phishing pages on Azure, landing pages are now located on domains like and, and it gets a bit trickier.

For Microsoft accounts and logins, it is important to remember that the login forms will be coming from,, and domains only. If you are presented with a Microsoft login form from any other URL, it should be avoided.



About Author

Comments are closed.