MailGuard is intercepting a new phishing email campaign designed to deceive Microsoft 365 users with a fake subscription renewal notification. The scam is currently circulating in high volumes and is crafted to lure victims into opening a malicious .htm attachment that mimics a legitimate Microsoft billing portal.
The attack begins with an email purporting to come from “Microsoft Billing” (see image below), alerting the recipient that their Microsoft 365 subscription could not be renewed. A sense of urgency is created through the inclusion of an .ics calendar file that blocks out time in the victim’s schedule, pushing them to act quickly.
The phishing email presents itself as a failed Microsoft 365 subscription notice, urging action via attachments.
Also attached is an HTML file named to suggest it's a secure billing statement. When opened, this file launches a convincing imitation of Microsoft’s subscription payment portal (see images below).
A fake payment landing page asks users to confirm their billing — using a local HTML file, not a legitimate Microsoft domain.
Victims are prompted to enter their credit card and contact details under the guise of a $5.29 monthly billing form.
The flow includes a simulated "processing" screen and warning messages to increase urgency and credibility.
These steps mirror the tactics used in other advanced phishing campaigns — combining urgency, brand impersonation, and local HTML files to avoid detection.
🔒 But here’s the catch — everything about this setup is fake.
The email originates not from Microsoft, but from a compromised .shop domain, and the attachment is a phishing trap designed to steal:
This is a credential harvesting and payment card fraud scam, carefully engineered to bypass common email filters and exploit trust in the Microsoft brand.
Stay Safe - Know the Signs
MailGuard advises all recipients of these emails to delete them immediately without clicking on any links. Responding or providing personal details can lead to identity theft, data breaches, and financial losses.
Avoid emails that:
Many businesses turn to MailGuard after a near miss or incident. Don't wait until it's too late.
Reach out to our team for a confidential discussion by emailing expert@mailguard.com.au or calling 1300 30 44 30.
All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.
For a few dollars per staff member per month, you can protect your business with MailGuard's specialist, 'zero zero-day' email security. Special Ops for when speed matters! Our real-time 'zero zero-day', email threat detection amplifies our client’s intelligence, knowledge, security and defence. Talk to a solution consultant at MailGuard today about securing your company's inboxes.
Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.