Is This Microsoft Security Alert Email a Scam? How to Tell

Short answer: a "Microsoft security alert" about unusual sign-in activity, pushing you to click a link and "verify" your account, is one of the most common phishing emails in circulation. A Microsoft account often unlocks email, Office files, and OneDrive — so it's a high-value target, and the alerts are easy to fake.

The tricky part is that Microsoft does send real security notifications. Here's how to tell them apart.

Quick check: Don't click the email's link. Go to account.microsoft.com (type it yourself) or account.live.com and review your recent activity there. Microsoft won't ask for your password or a verification code by email.

What a real Microsoft alert looks like

Genuine Microsoft security email comes from Microsoft domains (such as accountprotection.microsoft.com or microsoft.com) and points you to sign in at your account page to review activity. A real alert never asks you to reply with your password or a code, and it doesn't hinge on a countdown. You can always confirm a real sign-in alert by checking the recent-activity page yourself.

How to tell if your Microsoft email is a scam

• Sender address. Real Microsoft mail comes from Microsoft-owned domains. Watch for lookalikes like microsoft-security.net, ms-account-verify.com, or microsft.com.
• Links. Hover or long-press before tapping; a real link points to a microsoft.com / live.com domain, not a third party.
• "Unusual sign-in activity." This is the signature bait line, often with a fake location to alarm you.
• A fake "Microsoft 365" login page. The link leads to a near-perfect copy of the sign-in screen built to capture your password.
• Requests for a code or password. Microsoft won't ask for these by email, and a code you didn't request is a red flag, not a thing to share.

Real Microsoft alert vs. scam at a glance

| Signal | Real Microsoft | Likely scam | | --- | --- | --- | | Sender domain | microsoft.com / accountprotection.microsoft.com | microsoft-security.net, microsft.com | | Links | microsoft.com / live.com | Third-party domain | | Asks for | Nothing sensitive | Password or a verification code | | Tone | Informational, no deadline | "Account compromised," urgent | | Where to act | account.microsoft.com (typed yourself) | A link in the email |

Anatomy of a fake Microsoft email

From: Microsoft account team <security@ms-account-verify.com>
Subject: Unusual sign-in activity

We detected a sign-in attempt from a new location:

Country/region: Russia
IP address: 185.xx.xx.xx

If this wasn't you, your account may be compromised. Review your
activity now:

      [ Review Recent Activity ]

What gives it away:

• The domain — ms-account-verify.com is not a Microsoft domain.
• The scary location — a foreign sign-in is added to spike panic.
• The button — leads to a fake Microsoft 365 login page that steals your password.
• The urgency — "your account may be compromised" pushes you to click before thinking.

Ironically, the email warns you about account compromise while being the attempt to compromise it.

The fake Microsoft 365 login page

The most dangerous part of this scam is the landing page. It's a pixel-accurate copy of the Microsoft sign-in screen, sometimes even pre-filling your email address to look legitimate. The moment you type your password, the scammer has it.

The defense is the same as always: never sign in from an email's link. Open your account page yourself and the fake page never gets your credentials.

The safe way to check your Microsoft account

1. Don't use the links in the email.
2. Type account.microsoft.com into your browser yourself and sign in.
3. Open Security → recent sign-in activity. A real unusual-sign-in alert will be reflected there; a fake one won't be.

If you already clicked or shared details

1. Stop entering anything; close the page.
2. Change your Microsoft password from the real site, and sign out everywhere in your security settings.
3. Turn on two-step verification, and review your security info (recovery email and phone).
4. If you reused that password elsewhere, change it there too.
5. Report it: use Outlook's "Report phishing" option, or forward the email to phish@office365.microsoft.com, then delete it.

For the full recovery walkthrough, see what to do if you clicked a phishing link.

Get it checked in minutes

Because Microsoft sends real alerts too, these are genuinely hard to call. Instead of guessing, forward the email to FraudRoom at check@fraudroom.com and get back a plain-English risk level and the safest next step, usually within minutes.

FAQ

Does Microsoft send "unusual sign-in activity" emails?

Yes, Microsoft sends real security alerts — but they don't ask for your password or a code, and you can always confirm them by checking recent activity at account.microsoft.com yourself rather than clicking the email.

What does a real Microsoft email address look like?

Legitimate Microsoft mail comes from Microsoft-owned domains, such as accountprotection.microsoft.com or microsoft.com. Lookalikes like microsoft-security.net or microsft.com are not Microsoft.

I entered my password on a fake Microsoft 365 page — what now?

Change your Microsoft password immediately from the real site, turn on two-step verification, and sign out of all sessions. If you reused the password, change it everywhere. Full steps are in the recovery guide above.

How do I report a Microsoft phishing email?

Use the "Report phishing" option in Outlook, or forward the email to phish@office365.microsoft.com, then delete it.

Key takeaways

• "Unusual sign-in activity" with a link is the classic Microsoft phishing bait.
• Microsoft sends real alerts too — confirm by checking activity at account.microsoft.com, not the email.
• Never sign in from an email link; the fake Microsoft 365 page exists to steal your password.
• Report fakes via Outlook or phish@office365.microsoft.com, and get close calls checked first.

Related reading

• Is this email a scam? How to check if it's real or phishing
• Is this Apple ID suspended email a scam? How to tell
• What does a scam email look like? The red flags