Fake Microsoft 365 / Office 365 password expiry or account locked credential phishing — non-official sender impersonates Microsoft claiming the recipient's Microsoft 365, Office 365, or Outlook account password is expiring, expired, or the account is locked or sign-in has been blocked, directing them to click a link to reset their password or verify credentials through a credential-harvesting portal

Phishing emails impersonating Microsoft claiming the recipient's Microsoft 365, Office 365, or Outlook account password is expiring, has expired, or that their account has been locked, suspended, or had sign-in blocked due to a security event — directing them to click a link to reset their password or verify credentials through a harvesting portal. Microsoft 365 credential theft is catastrophic in enterprise contexts, enabling attackers to access corporate email, SharePoint files, Teams conversations, and OneDrive documents. Key facts: (1) Microsoft is the #1 most-impersonated brand in business email phishing (Verizon DBIR 2024, Cofense 2023); Microsoft 365 credential phishing causes an estimated $2.4B in annual business losses; (2) Legitimate Microsoft password expiry notices arrive from microsoft.com with List-Unsubscribe headers and direct users to account.microsoft.com — they never link to external "password renewal" portals; (3) Password expiry phishing campaigns are heavily automated: attackers rent Microsoft 365 phishing kits that replicate the exact Microsoft login UI, use adversary-in-the-middle (AiTM) techniques to capture session tokens and bypass MFA; (4) Microsoft 365 accounts with MFA enabled can still be compromised through AiTM proxy phishing — this attack class is specifically targeting Microsoft accounts at scale. Warning signs: sender domain not matching microsoft.com or microsoftonline.com, "password expires in X hours" framing, external password reset link, urgency to act before account lock.