Incoming Phishing Email? - Subject = [Case#:XXXXXXXX] Microsoft 365 Support

%3CLINGO-SUB%20id%3D%22lingo-sub-1725457%22%20slang%3D%22en-US%22%3EIncoming%20Phishing%20Email%3F%20-%20Subject%20%3D%20%5BCase%23%3AXXXXXXXX%5D%20Microsoft%20365%20Support%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1725457%22%20slang%3D%22en-US%22%3E%3CP%3EAn%20incoming%20email%20purportedly%20from%20Microsoft%20Support%20with%20the%20subject%20line%3A%26nbsp%3B%5BCase%23%3AXXXXXXXX%5D%20Microsoft%20365%20Support%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20references%20a%20support%20case%20that%20we%20never%20created%2C%20but%20they%20managed%20to%20hit%20all%20three%20Office%20365%20administrators%3B%20however%20they%20sent%20it%20addressed%20to%20personal%20Gmail%20and%20Yahoo%20accounts%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPartial%20message%20body%20reads%20as%20follows%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22Hello%20Admins%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20name%20is%20XXX%2C%20and%20I'm%20a%20Microsoft%20Ambassador%20for%20Office%20365.%20This%20is%20a%20courtesy%20outreach%20to%20make%20sure%20you%20are%20getting%20the%20most%20out%20of%20your%26nbsp%3B%26nbsp%3BOffice%20365%20E1%26nbsp%3Bspecifically%20about%20Microsoft%20Teams.%20I%E2%80%99ll%20give%20you%20a%20call%20to%20discuss%20further.%26nbsp%3B%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20this%20legitimate%2C%20because%20I'm%20thinking%2C%20%22No.%22%20If%20it%20is%20not%20legitimate%2C%20to%20whom%20do%20I%20need%20to%20contact%20and%20submit%20information%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance%20for%20any%20insight.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1725457%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMicrosoft%20Teams%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1726165%22%20slang%3D%22en-US%22%3ERe%3A%20Incoming%20Phishing%20Email%3F%20-%20Subject%20%3D%20%5BCase%23%3AXXXXXXXX%5D%20Microsoft%20365%20Support%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1726165%22%20slang%3D%22en-US%22%3E%3CP%3EOk%2C%20so%20attempt%20%232%20comes%20across%203.5%20hours%20later%2C%20a%20copy%20and%20paste%20of%20the%20original%20message%2C%20and%20again%20sent%20to%20email%20addresses%20not%20listed%20for%2Funder%20the%20Office%20365%20account%20Administrators%20contact%20information.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20header%20information%20seems%20to%20check%20out%20as%20originating%20from%20Microsoft%2C%20but%20if%20it's%20legitimate%2C%20why%20wouldn't%20they%20use%20the%20Administrator%20emails%20as%20listed%20in%20the%20account%2C%20or%20carry%20through%20with%20the%20body%20of%20the%20message%20and%20reach%20out%20to%20the%20company's%20main%20line%20telephone%20number%2C%20which%20is%20also%20listed%20in%20the%20account%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

An incoming email purportedly from Microsoft Support with the subject line: [Case#:XXXXXXXX] Microsoft 365 Support

 

It references a support case that we never created, but they managed to hit all three Office 365 administrators; however they sent it addressed to personal Gmail and Yahoo accounts?

 

Partial message body reads as follows:

 

"Hello Admins, 

 

My name is XXX, and I'm a Microsoft Ambassador for Office 365. This is a courtesy outreach to make sure you are getting the most out of your  Office 365 E1 specifically about Microsoft Teams. I’ll give you a call to discuss further. "

 

Is this legitimate, because I'm thinking, "No." If it is not legitimate, to whom do I need to contact and submit information?

 

Thanks in advance for any insight.

1 Reply
Highlighted

Ok, so attempt #2 comes across 3.5 hours later, a copy and paste of the original message, and again sent to email addresses not listed for/under the Office 365 account Administrators contact information.

 

The header information seems to check out as originating from Microsoft, but if it's legitimate, why wouldn't they use the Administrator emails as listed in the account, or carry through with the body of the message and reach out to the company's main line telephone number, which is also listed in the account?