author: “WellForce IT Security Team” credentials: “Microsoft 365 Security Specialists | Managed IT Services, Raleigh & DC” schema: [“Article”, “FAQPage”]
Email Phishing Warning: How to Spot the Signs and Respond in Microsoft 365
AEO Definitive Answer
An email phishing warning is any signal that an incoming message is attempting to deceive the recipient into revealing credentials, clicking a malicious link, or transferring funds. The most reliable phishing warning signs are mismatched sender domains, urgency-driven language, unexpected attachments, and broken or redirected hyperlinks. Recognizing these indicators is only half the equation—your response workflow inside Microsoft 365 determines whether the threat is contained or spreads.
The 8 Visual and Textual Red Flags in a Phishing Email
Most phishing warnings are visible before you click anything. The problem is that employees have been trained to scan for obvious signals—a Nigerian prince, misspelled words—while attackers have spent years eliminating exactly those tells.
Here are eight red flags that remain reliable in 2026:
1. Domain mismatch in the From field. The display name says “Microsoft Support” but the actual sending domain is microsofft-help[.]ru. Hover or expand the sender field. The display name is cosmetic; the domain is structural.
2. Reply-to address diverges from sender. A legitimate invoice from your vendor sends replies to a Gmail address you’ve never seen. This is a classic business email compromise (BEC) setup—the attacker wants your response to land somewhere they control without alerting your mail filters.
3. Urgency or threat framing. “Your account will be suspended in 24 hours.” “IRS Notice: Immediate response required.” Urgency compresses the time a recipient spends evaluating the message. That compression is the attack.
4. Unexpected attachment with a generic filename. Invoice_2026.xlsx, DocuSign_complete.pdf, Shipping_Label.zip. Legitimate senders rarely send unsolicited attachments without prior context established in your email thread.
5. Hyperlinks that don’t match their anchor text. Mouse over the link before clicking. If the visible text says https://yourbank.com but the underlying URL is a long string with an unfamiliar TLD or an IP address, that’s a hard stop.
6. Requests for credentials or sensitive data via email. No legitimate Microsoft service, bank, or HR system asks you to confirm your password over email. Full stop.
7. Generic salutation despite appearing to be from a known contact. “Dear Valued Customer” from your account manager of five years is a signal that someone spoofed their address or their account was compromised.
8. Embedded images that carry the entire message. Some phishing emails render all text as a single image to evade text-based spam filters. If you can’t highlight or copy any text in the email body, treat it with suspicion.
Beyond the Obvious: Subtle Phishing Indicators in 2026
The eight flags above are well-documented. Sophisticated campaigns in 2026 are designed to pass every one of those checks. What defenders need now is a second layer of pattern recognition.
Thread hijacking. Attackers compromise a legitimate email account, read historical threads, and inject a malicious reply mid-conversation. The sender domain is real. The thread context is real. The malicious payload arrives as a “follow-up” to a conversation you were already having. Microsoft Defender for Office 365 has improved detection here through behavioral analysis—an account that has never sent a ZIP file suddenly attaching one mid-thread triggers an anomaly flag.
QR code substitution. As organizations have become better at inspecting URLs, some campaigns have moved to embedded QR codes that route to credential-harvesting pages. Image scanners in M365 Defender’s Safe Attachments now attempt to parse QR codes, but this evasion technique still has a meaningful window before automated detection catches up. Our broader breakdown of signs of phishing across channels covers QR phishing and Teams-based variants in detail.
Lookalike domains registered days before the campaign. Attackers register wellf0rceit.com or welIforce-it.com (capital I for lowercase l) weeks before a targeted campaign. By the time the domain triggers reputation feeds, the campaign is over. DMARC alignment won’t save you here because the attacker’s domain passes its own DMARC—it’s just not your domain.
Legitimate cloud infrastructure as the attack vehicle. Phishing links hosted on SharePoint Online, OneDrive, Google Docs, or Dropbox bypass many URL filters because the root domain has a strong reputation. The link is legitimate; the file it points to is not.
What to Do Immediately: The Report-and-Quarantine Workflow in M365
This is where most awareness training stops short. Recognizing a phishing email is actionable only if the next steps are automatic for every employee. Here is the exact workflow inside Microsoft 365.
Step 1: Report It—Don’t Forward It
Use the Microsoft Report Message add-in in Outlook (available on desktop, web, and mobile). Select the suspicious email, click Report Message, and choose Phishing. This sends the message to Microsoft for analysis and, depending on your tenant configuration, routes it to your security team’s submissions queue.
Do not forward phishing emails to colleagues or your IT team as a standard attachment—this risks propagating active links or attachments.
Step 2: The Submission Lands in the Microsoft 365 Defender Portal
Admins can view user-reported messages at security.microsoft.com → Email & Collaboration → Submissions → User reported tab. From here, you can:
- Review the reported message
- Submit it to Microsoft for deeper analysis
- Take direct action: move to inbox, move to junk, or quarantine
Step 3: Quarantine Similar Messages Tenant-Wide
If the reported message is confirmed phishing, use Threat Explorer (security.microsoft.com → Email & Collaboration → Explorer) to search for other instances of the same sender, subject line, or attachment hash across your organization. Select matching messages and use Take Action → Move to quarantine.
This is the step that most organizations skip. A single employee report can become a tenant-wide containment action within minutes if the workflow is established.
Step 4: Block the Sender or Domain
Navigate to Policies & Rules → Threat Policies → Tenant Allow/Block Lists and add the sender address or domain to the block list. For campaigns using compromised legitimate accounts, blocking the specific sending address (rather than the domain) is the more surgical option.
Step 5: Trigger an Incident Review
If any employee clicked a link or opened an attachment before reporting, escalate immediately to an incident. Check Microsoft Defender for Endpoint for the affected devices—look for credential access events, unusual outbound connections, or new scheduled tasks created around the time of the click. This is covered in more depth in our data security best practices post.
Setting Up Phishing Alerts for Your Organization (Admin Steps)
Reactive reporting matters, but proactive alerting changes the dynamic. These are the configurations that create an early warning system inside M365.
Enable Microsoft Defender for Office 365 Plan 1 or Plan 2. Plan 1 covers Safe Links and Safe Attachments. Plan 2 adds Attack Simulator, Threat Explorer, and automated investigation. If your organization is running Exchange Online Protection alone, you’re missing the behavioral detection layer.
Configure Anti-Phishing Policies with Impersonation Protection. In security.microsoft.com, go to Policies & Rules → Threat Policies → Anti-phishing. Under impersonation protection, add your executives, key vendors, and any domains you regularly receive mail from. This catches the display-name spoofing attacks that basic filters miss.
Turn on Mailbox Intelligence. This feature, available in the anti-phishing policy, builds a behavioral baseline of who each user normally receives mail from. A first-contact email from a domain impersonating a frequent contact gets flagged even if the domain itself has a clean reputation.
Set up Alert Policies for Suspicious Email Forwarding. A compromised mailbox often immediately creates a forwarding rule to exfiltrate ongoing correspondence. In the M365 Compliance Center, the built-in alert policy “Email forwarding activity” catches this and fires within minutes. Verify it’s enabled and routed to your security team.
Run Attack Simulation Training. Microsoft Defender for Office 365 Plan 2 includes Attack Simulator. Quarterly simulated phishing campaigns with targeted training for employees who click give you real behavioral data—not just completion certificates. If you’re evaluating whether your current IT provider is setting this up, our guide on what to look for in a Raleigh IT company has a section on security capability assessment.
FAQ Block
What are phishing email warning signs?
The most reliable phishing warning signs are: a sender display name that doesn’t match the actual sending domain, a reply-to address different from the sender, urgency or threat-based language, unexpected attachments with generic filenames, hyperlinks whose destination URL doesn’t match the anchor text, and requests for credentials or payment over email. In 2026, thread-hijacking campaigns and QR code payloads have added new indicators that require behavioral analysis, not just visual inspection.
How do I report phishing in Outlook?
In Outlook (desktop or web), select the suspicious message without opening any links. Click the Report Message button in the ribbon (if the add-in is installed) and select Phishing. In Outlook on the web, you can also right-click the message and choose Report → Phishing. This routes the message to Microsoft and, if your admin has configured it, to your organization’s security team via the Submissions portal in Microsoft 365 Defender.
What happens after I report a phishing email in M365?
The reported message appears in the User Reported tab of the Submissions section in security.microsoft.com. Your security admin can review it, submit it to Microsoft for analysis, and take bulk action—quarantining similar messages across the entire tenant, blocking the sender, and reviewing related security alerts. If any user clicked a link before reporting, admins can cross-reference with Defender for Endpoint to assess compromise scope.
Can Microsoft 365 automatically quarantine phishing emails before they reach inboxes?
Yes, with Defender for Office 365 Plan 1 or Plan 2. Safe Links rewrites URLs and checks them at click time against Microsoft’s threat intelligence. Safe Attachments detonates suspicious attachments in a sandbox before delivery. Anti-phishing policies with impersonation protection and mailbox intelligence catch spoofed sender attacks. No automated system catches everything—user reporting remains a critical second layer.
What’s the difference between spam and phishing?
Spam is unsolicited bulk email, typically commercial in nature. Phishing is targeted deception—the goal is to steal credentials, install malware, or fraudulently transfer funds. A spam email wastes your time. A phishing email can result in a data breach or wire fraud. Phishing emails often look nothing like spam; they’re designed to be indistinguishable from legitimate messages, which is why visual inspection skills and M365 detection layers both matter.
How often should our organization run phishing simulations?
Most security frameworks recommend quarterly simulations as a baseline, with targeted follow-up training for employees who interact with simulated phishing messages. Microsoft’s Attack Simulator allows you to customize difficulty, payload type, and landing page content. The goal is behavioral change over time, not a one-time awareness check.
One concrete action to take this week: Log into security.microsoft.com, navigate to Policies & Rules → Threat Policies → Anti-phishing, and verify that impersonation protection is enabled for your top five executives and your three most-emailed external domains. If that policy doesn’t exist yet, creating it takes less than ten minutes and addresses one of the most common initial access vectors in BEC campaigns. If you don’t have admin access or aren’t sure what you’re looking at when you get there, that’s the real gap to close—and it’s worth a direct conversation with whoever manages your M365 tenant.