Fake Microsoft 365 / Office 365 quarantine digest message-release phishing — fraudulent email impersonating Microsoft 365, Office 365, Exchange Online, or Microsoft Defender for Office 365 claiming the recipient has N quarantined messages requiring release, their email delivery is on hold, or messages have been blocked — directing them to click "release messages" or sign in to review quarantined email — a credential-harvesting attack exploiting the genuine Microsoft 365 quarantine digest workflow that employees receive daily; Cofense 2024: quarantine-release phishing is a top-3 enterprise credential harvest vector; M365 has 300M+ monthly active users

Phishing emails impersonating Microsoft 365, Office 365, Exchange Online, or Microsoft Defender for Office 365 claiming the recipient has N quarantined messages requiring release, their email delivery is on hold, or messages have been blocked and will be permanently deleted unless they sign in to review. Key facts: (1) Cofense 2024: quarantine-release phishing is one of the top-3 enterprise credential harvesting vectors; Microsoft 365 has 300M+ monthly active users and sends genuine quarantine digest emails daily — this conditioning effect is unique: employees receive legitimate "you have quarantined messages" emails regularly and have been explicitly trained by Microsoft to click "Release" — attackers exploit this conditioned behavior perfectly; (2) The attack replicates the exact visual format of Microsoft's genuine quarantine digest emails — same subject line pattern ("Microsoft 365 quarantine digest"), same "review and release" CTA, same urgency about permanent deletion after 30 days — distinguishable only by the sender domain; most employees do not check the sender domain before clicking a button they perform as daily routine; (3) The credential harvest is particularly dangerous because M365 credentials unlock email (full inbox access and sending), SharePoint (all company documents), Teams (all chat history and file sharing), OneDrive, and Azure AD — a single harvested credential often enables full organizational compromise; (4) A 2024 Proofpoint study found that 68% of employees who received simulated quarantine-release phishing in training exercises clicked the release link without checking the sender — the highest click rate of any phishing simulation template. Warning signs: sender domain not microsoft.com, office.com, or protection.outlook.com; no employee name or email address in the digest body; round numbers of quarantined messages (exactly 3, exactly 5); urgency about permanent deletion within 24 hours (legitimate quarantine holds for 30 days).