Fake Microsoft 365 / Office 365 / Teams account suspended phishing — impersonates Microsoft security notices claiming account is suspended, password expired, or unusual sign-in detected, driving to a credential-harvest page; Microsoft is the #1 most impersonated brand in business email phishing (APWG 2024); FBI IC3 2023: Microsoft-impersonation BEC caused $2.9B in losses
fake-microsoft-365-office-account-phish
What this tier means
High-confidence threat indicator — phishing, impersonation, BEC, or scam pattern. Strong contributor to the trash decision.
How Gorganizer detects this
Phishing emails impersonating Microsoft security notices to claim the victim's Microsoft 365, Office 365, Teams, or Outlook account has been suspended, locked, or has an expired password requiring immediate action — directing to a credential-harvest page styled as Microsoft's sign-in portal. Key facts: (1) APWG 2024 Phishing Activity Trends Report: Microsoft is consistently the #1 most impersonated brand in business email phishing, appearing in more than 20% of all brand-phishing emails; Microsoft 365 credentials are the highest-value target in corporate credential harvesting because they provide access to email, SharePoint, Teams, Azure AD, and all integrated business applications; (2) FBI IC3 2023: business email compromise (BEC) enabled by Microsoft impersonation phishing resulted in $2.9B in reported losses — the largest category of financial cybercrime; the credential-harvest-to-BEC pipeline typically takes 48–72 hours from the initial click to the first fraudulent wire transfer request; (3) Microsoft 365 phishing campaigns frequently use adversary-in-the-middle (AiTM) proxies that capture both credentials and session cookies — bypassing SMS-based MFA and allowing attackers to maintain persistent access even after a password reset; (4) Legitimate Microsoft security notifications arrive from accountprotection.microsoft.com or account.microsoft.com, always include a "Review recent activity" link that deep-links to account.microsoft.com (never a third-party domain), and never threaten permanent account deactivation via a standalone link. Warning signs: sender domain not microsoft.com or microsoftonline.com, link to a non-Microsoft domain, threat of permanent deactivation, no reference to the specific device or location of the suspicious sign-in, no MFA challenge.
False-positive guard
Every signal in Gorganizer feeds a multi-module score — never a sole verdict. This is a threat-tier signal — it adds a strong contribution to the trash score. The full pipeline still requires convergence across multiple modules + a margin over the safety floor before deletion happens, and Gmail's trash (30-day recovery) is always used — never permanent delete.
About the scoring engine
Gorganizer's scoring engine emits over 1,800 signals across six modules — headers, sender, subject, body, attachments, and structural metadata. Every email is scored by every module independently; the final verdict requires multiple modules to agree and the trash score to beat the safety floor by a margin.
Sacred safety guards — never delete starred emails, replies, calendar invites, receipts/invoices, or attachments — apply unconditionally regardless of any signal.
Ready to clean your inbox?
Gorganizer scans your Gmail with this signal and 1,800+ others, then cleans everything in one click. $4.99 one-time, no subscription.
Get started