Fake Microsoft 365 / Office 365 license expiry billing phishing — non-Microsoft sender claims the recipient's Microsoft 365 or Office 365 subscription has expired or will expire imminently and that access to email, OneDrive, Teams, Word, or Excel will be lost unless payment details are updated or verified immediately

Phishing emails impersonating Microsoft claiming the recipient's Microsoft 365 or Office 365 subscription is expiring or has already expired, and that access to email, OneDrive, Teams, Outlook, Word, or Excel will be lost unless payment details are updated or verified immediately. Microsoft 365 is used by 345+ million paid seats globally, making it the most-impersonated SaaS product in B2B phishing. The urgency of "losing access to email and work files" drives high click-through rates, especially among non-technical employees. Key facts: (1) Real Microsoft 365 renewal emails originate exclusively from microsoft.com or office.com domains, always reference an existing payment method on file, and direct users to account.microsoft.com — never to external billing portals; (2) Microsoft never asks customers to "re-enter" credit card details by email — all billing management is done through the authenticated Microsoft 365 admin center; (3) These phishing pages typically harvest credit card details + billing address and are hosted on newly registered lookalike domains; (4) The Microsoft Digital Crimes Unit (DCU) disrupted 750+ domains impersonating Microsoft in 2023 alone. Warning signs: email from any domain other than microsoft.com or office.com, urgency framing about immediate access loss, request to "enter" or "verify" payment method, link to an external portal not at microsoft.com.