Fake Microsoft 365 / Office 365 account expiry or compromise phishing — fraudulent email impersonating Microsoft 365, Office 365, SharePoint, or OneDrive claiming the recipient's account is expiring, suspended, compromised, or that their storage quota is exceeded — directing them to click a link to sign in, verify credentials, update account details, or re-authenticate to prevent deactivation — a credential-harvesting phishing attack targeting enterprise Microsoft 365 accounts

Phishing emails impersonating Microsoft 365, Office 365, OneDrive, SharePoint, or Microsoft Teams — claiming the recipient's account is about to expire, has been suspended or compromised, or that their storage quota has been exceeded — directing them to click a link to sign in, verify credentials, update account details, or re-authenticate. Microsoft 365 credential phishing is among the highest-volume enterprise attack vectors. Key facts: (1) Microsoft is the most impersonated brand in phishing emails by volume (Check Point Brand Phishing Report Q4 2024) — Microsoft 365 credential theft provides access to the broadest range of enterprise data: email, SharePoint files, Teams conversations, OneDrive documents; (2) Compromised Microsoft 365 credentials enable Business Email Compromise (BEC) attacks from within the organization — attackers send wire transfer and gift card requests that appear to come from legitimate internal email addresses; (3) OAuth consent phishing (a related variant) tricks users into granting malicious third-party app access to their M365 account — the attacker receives persistent access that persists even after password changes; (4) Legitimate Microsoft communications about account expiration or license renewal are sent from @microsoft.com domains, are listed on account.microsoft.com, and never threaten immediate account deletion within 24 hours. Warning signs: non-microsoft.com sender domain, 24-hour expiry or immediate suspension threat, click-to-sign-in CTA with non-Microsoft URL, storage limit exceeded with urgency.