Fake Microsoft 365 / Office 365 MFA reset lure — "re-register your Authenticator app within 24 hours or account locked" targeting 400M+ M365 seats; credentials + MFA approval harvest enables attacker MFA device consent (persistent backdoor), Exchange Online mailbox exfil, SharePoint/OneDrive document exfil, Teams impersonation, Entra ID admin persistence
fake-microsoft-365-mfa-reset-lure
What this tier means
High-confidence threat indicator — phishing, impersonation, BEC, or scam pattern. Strong contributor to the trash decision.
How Gorganizer detects this
Fake "your Microsoft 365 / Office 365 account requires MFA reset — re-register your Authenticator app within 24 hours or your account will be locked" email targeting corporate M365 users. With 400M+ paid M365 seats as of 2026, this is the single largest enterprise credential-harvest surface. Harvests M365 credentials and MFA approval. Post-compromise attackers: (1) consent their own MFA device for persistent backdoor access that survives password rotation; (2) pivot to Exchange Online to exfil the entire mailbox, sent-items, and contacts for downstream spear-phishing; (3) pivot to SharePoint / OneDrive to exfil internal documents; (4) pivot to Teams to impersonate the victim to coworkers for wire-fraud or credential-spread; (5) pivot to Entra ID (formerly Azure AD) to create attacker-controlled admin accounts for long-term persistence. The lure converts because Microsoft genuinely DOES send MFA prompts and Authenticator re-registration emails during tenant migrations, policy updates, and Conditional Access policy rollouts. Attackers mimic the exact Microsoft brand template (Segoe UI font, standard blue, Microsoft footer) and register lookalike subdomains like `microsoft-365-security.io`. Fires when body references Microsoft 365 / M365 / Office 365 / Microsoft Authenticator / MFA / multi-factor / Azure AD / Entra ID / Conditional Access AND contains MFA-reset / re-register / verification / account-locked / 24-hour urgency. Excludes microsoft.com, microsoftonline.com, office.com, office365.com, outlook.com, live.com, hotmail.com, azurecomm.net, sharepoint.com, onedrive.com, teams.microsoft.com, msrecipient.com, windows.net. Auto-classified as danger via the `-lure` suffix.
False-positive guard
Every signal in Gorganizer feeds a multi-module score — never a sole verdict. This is a threat-tier signal — it adds a strong contribution to the trash score. The full pipeline still requires convergence across multiple modules + a margin over the safety floor before deletion happens, and Gmail's trash (30-day recovery) is always used — never permanent delete.
About the scoring engine
Gorganizer's scoring engine emits over 1,800 signals across six modules — headers, sender, subject, body, attachments, and structural metadata. Every email is scored by every module independently; the final verdict requires multiple modules to agree and the trash score to beat the safety floor by a margin.
Sacred safety guards — never delete starred emails, replies, calendar invites, receipts/invoices, or attachments — apply unconditionally regardless of any signal.
Ready to clean your inbox?
Gorganizer scans your Gmail with this signal and 1,800+ others, then cleans everything in one click. $4.99 one-time, no subscription.
Get started