MailGuard Blog — Breaking alerts, news and updates on cybersecurity topics

Office 365 “Confirm your billing information” Scam Imitates Microsoft Support

Written by MailGuard | 19 November 2025 01:01:21 Z

Compromising a single Microsoft 365 account can give scammers the keys to your business. Once inside, they can access sensitive files, hijack mailboxes, authorise fraudulent payments, and impersonate executives to deceive staff, suppliers, and customers. The latest phishing campaign targeting Microsoft 365 users shows just how easily attackers can trick even vigilant employees, using trusted branding, realistic login pages, and multi-step deception to steal credentials, credit card details, and SMS verification codes.

MailGuard is intercepting the scam spoofing Microsoft Office 365 account alerts, with a lure that claims there is a problem confirming your billing information, that urges you to “Confirm Account” to avoid permanent impact. It is engineered to steal your Microsoft 365 credentials, credit card details and one-time passcodes, then redirects victims to the genuine Office.com site to reduce suspicion.

What we're seeing

An HTML email with a single link:  
  • Email subject: Confirm your Office365 billing information
  • Display name: Office365
  • From: [customerdomain]message.secureinformation.sendout@account.net
  • Display address: [customerdomain]message.secureinformation.sendout@account.net
  • Sending address: [customerdomain]message.secureinformation.sendout@account.net
    The recipient’s own domain appears at the start of the address string, which is a social engineering trick to increase trust.

After clicking the 'Confirm Account' button:

Step 1. Email capture page requests your email address.

Step 2. Password page asks for your Microsoft 365 password.

Step 3. Payment page collects credit card number, expiry, CVV and phone number.

Step 4. SMS code page prompts for a one-time code, then redirects to https://www.office.com/ once submitted.

At the end of the sequence, victims are redirected to the real Microsoft https://www.office.com website. After stealing your data, the threat actor lands you on the official site so the experience feels legitimate and you are less likely to report it.

These fraudulent scam pages are hosted on attacker controlled domains, not Microsoft. The visual fidelity is high, including logos, fonts and UI states, which lowers suspicion for time poor users.

Why this threat is dangerous

  • Credential theft and account takeover. Stolen usernames and passwords enable mailbox hijack, internal phishing and data exfiltration.
  • Payment fraud. Collected card data can be used immediately or sold on.
  • MFA bypass. The SMS code prompt allows attackers to validate transactions or create persistent access.
  • Operational and reputational damage. Compromised mailboxes are often used to target customers, partners and staff.

Indicators and red flags

  • Sender domain pattern like [yourdomain]message.secureinformation.sendout@account.net.
  • Vague display name “Office365” and generic salutation “Dear Customer.”
  • Urgent language about account impact or permanent suspension.
  • Links that lead to non Microsoft domains, even if the final step lands on Office.com.
  • Requests for password, card details and SMS codes on the same journey.

Recommended actions for organisations

  • Block and remove at scale. If one user received the email, assume others did. Remove tenant wide.
  • Harden authentication. Enforce phishing resistant MFA methods where possible and monitor risky sign ins.
  • Educate users. Remind staff that Microsoft will not ask for passwords, SMS codes or full card details via an email link.
  • Layer protection for Microsoft 365. Multi layer controls reduce exposure to fast moving phishing that cycles domains quickly. 

 

Stay Safe, Know the Signs

MailGuard advises all recipients of these emails to delete them immediately without clicking on any links. Responding or providing personal details can lead to identity theft, data breaches, and financial losses.

Avoid emails that:

  • Aren’t addressed to you personally.
  • Are unexpected and urge immediate action.
  • Contain poor grammar or miss crucial identifying details.
  • Direct you to a suspicious URL that isn’t associated with the genuine company.

Many businesses turn to MailGuard after a near miss or incident. Don't wait until it's too late. Reach out to our team for a confidential discussion by emailing expert@mailguard.com.au or calling 1300 30 44 30.

One Email Is All That It Takes   

All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.     

For a few dollars per staff member per month, you can protect your business with MailGuard's specialist AI-powered, zero-day email security. Special Ops for when speed matters!  Our real-time zero-day, email threat detection amplifies our client’s intelligence, knowledge, security and defence. Talk to a solution consultant at MailGuard today about securing your company's inboxes.  

Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.  

 
View full post