Fake Microsoft / Outlook / Office 365 MFA or sign-in alert sent from a non-Microsoft domain claiming a suspicious sign-in was blocked and the target must approve or re-authenticate via the link — credential-harvest cross-domain phish targeting MFA fatigue. Real Microsoft security mail originates from microsoft.com / accountprotection.microsoft.com only.

Fake Microsoft / Outlook / Office 365 MFA or sign-in alert sent from a non-Microsoft sending domain (From / Reply-To / link domains do not align with microsoft.com / accountprotection.microsoft.com / outlook.com) claiming a suspicious sign-in or unusual activity was detected and the recipient must approve, re-authenticate, or review activity via the embedded link — credential-harvest cross-domain phish that exploits MFA fatigue and "account compromised" anxiety. Real Microsoft security communications originate exclusively from microsoft.com or accountprotection.microsoft.com with DMARC-aligned signing and always direct users back to account.microsoft.com or login.microsoftonline.com — never to third-party domains. The cross-domain mismatch is the defining signal. Distinct from generic mfa-prompt-phish — this targets the Microsoft / Outlook / Office 365 brand / suspicious sign-in / cross-domain From-link mismatch pretext. Detection: Microsoft brand vocabulary (suspicious sign-in, unusual activity, MFA approval, verify identity) + sender or link domain ≠ microsoft.com / accountprotection.microsoft.com + no DMARC alignment. Trash score: +5. Source: GC1-R31; APWG Microsoft impostor phishing report 2025; Microsoft Defender anti-phishing guidance; CISA Microsoft credential-harvest advisory.