Checklist: How to Not Fall for Fake Office 365 Email Phishing Attempts

Employees falling for phishing attacks are one of the most common causes for successful cyber attacks against Office 365. It’s important that every employee and guest user in the organisation understands how these attacks work and how to spot them before they give away their credentials.

The checklist in this post (or a similar one) should be shared with users as part of employee on-boarding and security awareness training, and should also be repeated regularly. It’s also a good practice to run simulated phishing attacks at least every quarter.

You can use the Office 365 Attack Simulator in Office 365 ATP P2, or create your own simulated attacks with a customised URL, logging clicks. The attack simulator is very handy since it will send emails from non-Microsoft domains and also monitor if users gives away their credentials or not. Use the insights to educate users properly.

Feel free to use this checklist in your own organisation and modify it to your needs:

Checklist: Do not fall for fake Office 365 email phishing attempts!!

This is a checklist for basic spam awareness in Office 365, and in general. Before clicking on unknown links in emails and other messages in Office 365, go through this checklist to know it is safe:

  1. Always be suspicious and double check the URL before clicking it. Do not be a zombie who clicks on links automatically.
  2. In Outlook, hover the mouse over the link to see the actual URL before clicking it. Do not click if you do not know what it is.
  3. If it looks strange, Google the domain and try to find out more information. Maybe someone else already revealed a potential hoax?
  4. If you decide to click the link, check that the site has a valid SSL certificate. You can see this in your browsers address bar. Look for the padlock icon.
  5. If you are presented with a Microsoft sign-in screen, go through the following checklist to know it is valid:
    • If you are on a company device, you should not need to sign in at all. Single sign-on should sign you in automatically on such a device. Very suspicious! Stay alert!
    • If you try to sign in with your email address, the background image should change to a company branded background before you get prompted for your password. If the background does not change, this is also very suspicious! Do not enter your password!
    • Check the domain name in the browser address bar. We are always signing in to for Microsoft services.
    • Before signing in with your real username, try to sign in with an invalid email address first, just to see how the site acts. Even an error page can give you clues. If it accepts fake credentials, you know it is fake. Stay away!
    • If you are uncertain, it is better to ask first. Check with IT. They can help you!

This is what happens when you reply to spam email

Finally, I would like to share this humorous TED talk video about what might happen if you reply to spam email 🙂

Please follow me here, on LinkedIn and on Twitter!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s