Microsoft 365 Password Expiry Emails: Always a Scam
Here's a fact that immediately exposes one of the most common phishing campaigns: Microsoft officially recommends against password expiration policies. In 2019, Microsoft removed password expiration from their security baseline recommendations, calling forced password changes "an ancient and obsolete mitigation of very low value." If you receive an email saying your Microsoft 365 password is about to expire, it's a scam. Full stop.
The Email You'll Receive
"Your Microsoft 365 password will expire in 24 hours.
To maintain access to your email, Teams, OneDrive, and other Microsoft services, you must update your password immediately.
[Keep My Password] [Change Password]
If you do not update your password, your account will be locked and you will lose access to all Microsoft 365 services."
The email uses Microsoft's branding — the familiar blue color scheme, the Microsoft logo, and the clean layout of legitimate Microsoft communications. It may reference specific services you use (Outlook, Teams, SharePoint, OneDrive) to feel more relevant. The "Keep My Password" option is clever social engineering: it makes recipients feel like they have a choice, and both buttons lead to the same phishing page.
Why This Scam Works So Well
Many organizations did enforce password expiration policies in the past, and some still do despite Microsoft's recommendation against it. Employees who have experienced forced password changes in previous jobs accept the premise without questioning it. The scam also creates a specific and believable consequence — being locked out of your email and Teams — that feels urgent enough to act on immediately.
Got a suspicious email?
Paste it here for an instant analysis.
Free · No signup required · Cmd+Enter to scan
The timing is often deliberate. These emails spike on Monday mornings (when losing email access would be most disruptive), during business hours (when IT staff are available to "help" if you call a number in the email), and at the end of fiscal quarters (when work pressure makes people less careful).
What the Phishing Page Looks Like
Clicking either button takes you to a near-perfect replica of the Microsoft 365 login page. You see the blue Microsoft logo, the familiar "Sign in" header, and the email/phone/Skype input field. Many victims don't hesitate — they type their work email and password automatically, because they've done it a thousand times before.
Advanced versions of this attack use a technique called adversary-in-the-middle (AiTM) phishing. The fake login page proxies your credentials to the real Microsoft login in real time. If you have multi-factor authentication enabled, the page prompts you for your MFA code, which is also relayed to Microsoft's real servers. The attacker completes the authentication on their end, captures the session cookie, and gains full access to your Microsoft 365 account — bypassing MFA entirely.
How to Identify the Scam
Microsoft doesn't send password expiry emails. If your organization has configured password expiration policies (against Microsoft's recommendation), the notification comes from your organization's IT system — not from Microsoft directly. The email would come from your company's domain, not from microsoft.com.
Check the sender address. Real Microsoft emails come from domains like @microsoft.com, @accountprotection.microsoft.com, or @email.microsoft.com. Phishing emails come from addresses like microsoft-365@password-update.com or security@ms-account-alert.net.
The URL is wrong. Microsoft 365 login happens at https://login.microsoftonline.com. Any other domain is phishing. Check the address bar carefully — attackers use domains like login-microsoftonline.com, microsoftonline-login.com, or microsoft365.password-reset.net.
Contact your IT department. If you're unsure whether a password notification is real, contact your IT helpdesk directly — using a known phone number or email, not a number provided in the suspicious email. They can confirm whether your organization uses password expiration and whether any legitimate notifications were sent.
What Attackers Do With Your Account
A compromised Microsoft 365 account is extremely valuable. Attackers can read all your emails, access documents in OneDrive and SharePoint, impersonate you in Teams conversations, and send phishing emails from your account to your colleagues, clients, and partners. Emails from a trusted internal sender bypass most security filters and get clicked at dramatically higher rates.
Business email compromise campaigns often start exactly this way: one compromised account sends invoices with modified bank details to the finance department, or sends a "wire transfer request" from a senior executive's account. The average BEC loss exceeds $125,000 per incident.
If You Entered Your Credentials
Change your Microsoft 365 password immediately at account.microsoft.com. Enable MFA if it's not already on, preferably using a hardware security key or the Microsoft Authenticator app rather than SMS. Go to mysignins.microsoft.com and revoke all active sessions. Check your email rules in Outlook for any forwarding rules you didn't create. Notify your IT department — they need to investigate whether the attacker accessed sensitive data or sent phishing emails from your account.
Remember: any email telling you your Microsoft password is about to expire is lying. Close it, report it as phishing, and move on.
Received something suspicious? Check it now for free →