Skip to main content
ThreatOther

Compliance-deadline phishing exploiting Microsoft's real April 30 2026 SMTP AUTH / Basic Authentication sunset. Email uses the legitimate deadline for urgency — "basic auth retiring," "SMTP AUTH deadline," "app password will stop working," "IDCRL retirement" — plus a panic CTA ("migrate now," "re-authenticate now," "avoid service disruption," "mailbox will be suspended") pointing at a non-Microsoft URL that harvests M365 credentials. Microsoft Tech Community + Learn docs are the authoritative deadline reference; historical precedent: 2022 first-wave basic-auth deprecation spawned dozens of phishing campaigns per Sophos — April 2026 deadline replays this exactly

ms365-basic-auth-deprecation-panic-lure

What this tier means

High-confidence threat indicator — phishing, impersonation, BEC, or scam pattern. Strong contributor to the trash decision.

How Gorganizer detects this

Compliance-deadline phishing that exploits the real Microsoft SMTP AUTH / Basic Authentication sunset on April 30 2026 (documented in Microsoft Tech Community and Microsoft Learn deprecation posts). The attacker cites the genuine deadline to create urgency: "basic authentication is being deprecated," "SMTP AUTH deadline April 30," "your app password will stop working," "legacy SharePoint authentication IDCRL is retiring May 1." The email then pushes a panic CTA — "migrate now," "re-authenticate now to avoid service disruption," "your mailbox will be suspended" — pointing at a non-Microsoft URL that looks like an O365 sign-in page but harvests credentials. The real Microsoft 2022 first-wave basic-auth deprecation spawned dozens of phishing campaigns per Sophos and Microsoft's own threat reports; the April 2026 deadline is expected to replay that wave, with tens of millions of users and every IT admin in the world in-play. Distinct from generic MS365 credential phishing because it rides on a REAL policy change with a REAL deadline — users who know the deadline is real are primed to click. Legit Microsoft communications link exclusively to microsoft.com / learn.microsoft.com / microsoftonline.com / office.com. Any "migrate now to avoid mailbox suspension" email whose link target is a non-Microsoft host is, by construction, a phish — there is no legitimate third-party migration portal.

False-positive guard

Every signal in Gorganizer feeds a multi-module score — never a sole verdict. This is a threat-tier signal — it adds a strong contribution to the trash score. The full pipeline still requires convergence across multiple modules + a margin over the safety floor before deletion happens, and Gmail's trash (30-day recovery) is always used — never permanent delete.

About the scoring engine

Gorganizer's scoring engine emits over 1,800 signals across six modules — headers, sender, subject, body, attachments, and structural metadata. Every email is scored by every module independently; the final verdict requires multiple modules to agree and the trash score to beat the safety floor by a margin.

Sacred safety guards — never delete starred emails, replies, calendar invites, receipts/invoices, or attachments — apply unconditionally regardless of any signal.

Browse all signalsSafety guaranteesJSON

Ready to clean your inbox?

Gorganizer scans your Gmail with this signal and 1,800+ others, then cleans everything in one click. $4.99 one-time, no subscription.

Get started