The Great Microsoft Email Scam: How a Phony Delivery Failure Nearly Nabbed Credentials

by | Oct 7, 2024 | Scams

When a ‘Failed Delivery’ Email from Microsoft Isn’t What It Seems

Picture this: You’re working away, managing your business, when suddenly, you get an email. The subject? “Undeliverable: Mail Delivery Failed.” Oh no! Panic sets in because emails are vital to your day-to-day operations. But don’t worry, the email says you can fix the problem with just one click to “Restore Messages.” Before you rush to click, let me tell you how this scam almost tricked me—and how you can avoid it.

The Scam Email

The Hook

A Legit-Looking Sender—But Something Feels Off

The email came from what appeared to be a legitimate Microsoft address: surveys@email.formspro.microsoft.com. At first glance, everything looked authentic. And let’s be real, most of us don’t second-guess an email that comes from a “Microsoft.com” domain.

But here’s where it gets tricky: scammers know how to exploit legitimate Microsoft platforms like Forms and Dynamics to send their emails, which helps them sneak past your spam filters. So, even though this email looked authentic, it was a carefully crafted fake.

How the Scam Works

Tricking You into Clicking Without Thinking

The scammers are counting on your panic. After all, no one wants to miss an important email! They tell you that you need to “Restore Messages” and even throw in some technical jargon to make it sound like a real Microsoft email.

Here’s the first red flag: the message says, “This message is from a trusted sender.” But instead of appearing above the email where trusted sender alerts usually are, this line was actually in the email body. Yup, the scammer wrote that themselves. A sneaky but telling mistake.

The second giveaway? A few subtle font changes in key words like “g” “u” and “n” were slightly bigger than the surrounding text. It’s a small typo, but one that a professional email from Microsoft would never make.

Message from a trusted sender

Detecting the Fake

Look Before You Click—Always Hover Over the Link!Check the Hyperlink

The most important step before clicking on any email link? Hover over it. The scammers want you to think you’re heading to a Microsoft page, but in this case, the link was pointing to forms.gle—a Google Forms link, not a Microsoft site. Sure, it’s easy to brush off, thinking “It’s still legit, it’s just a form.” Wrong!

Forms.gle is a Google domain, so you should be asking yourself, “Why is Microsoft using Google Forms to warn me about undeliverable emails?” Spoiler: They wouldn’t!

What Happens When You Click

The Scam Gets Even Sneakier

Now, here’s where the scam gets clever. If you clicked the link, you’re taken to a seemingly trustworthy Microsoft 365 Privacy Statement page. This helps to build trust and distracts you from the fact that you’re not on a real Microsoft site, it’s Google.

Next, they throw in a CAPTCHA asking you to prove you’re not a robot, throwing around terms like MFA (multi-factor authentication) to sound legit. But guess what? The CAPTCHA offers no real security—just another way to lull you into a false sense of safety.

Microsoft Privacy Statement in Google Docs MFA that's a Captcha

The Final Trap

Logging In Could Hand Over the Keys to Your Kingdom

Fake M365 Sign in Page

If you’ve made it this far without realizing it’s a scam, you’re taken to what looks like a typical Microsoft sign-in page. But look closely at the web address. Instead of logging in directly on Microsoft’s secure servers, the page is actually relaying your information through a scammer’s server (like xyz.duckdns.org).

Scammers server M365 Redirect

This is where the scam gets dangerous. Even if you have multi-factor authentication (MFA) enabled, these sneaky scammers are after your session cookies—little bits of code that keep you logged in without needing to re-enter your password. Once they have your session cookie, they can gain full access to your Microsoft account without needing your MFA code.

And if you’re the Global Admin for your organization’s Microsoft 365 account? Congratulations, the scammers now control everything—your emails, your files, and even your ability to make purchases through Microsoft.

How to Avoid Falling for This Scam

  1. Check the Sender: Always double-check the sender’s email address, but don’t stop there. Just because it looks legit doesn’t mean it is.
  2. Hover Over Links: Before clicking on any link, hover over it to see where it’s really sending you. If it doesn’t look right (like a Google link for a Microsoft email), it’s a scam.
  3. Read the Text: Scammers rely on your panic. Take a moment to really read the email. Look for inconsistencies like typos or misplaced “trusted sender” messages.
  4. Use an IT Team: Don’t be afraid to ask for help. IT teams are trained to spot these scams and can help protect you and your business.

Don’t Let Panic Cloud Your Judgment—Stay Sharp!

Scammers are getting more sophisticated by the day, using real platforms and familiar branding to trick us into giving up valuable information. But with a little caution and a few extra steps—like hovering over links and reading email texts carefully—you can avoid falling into their trap.

So, the next time you get an email about a “failed delivery,” take a deep breath, read carefully, and hover over those links. Your Microsoft account (and your sanity) will thank you.