We’ve seen a rise in phishing campaigns that use tools like “Axios” or similar to trick users into giving away their Microsoft 365 credentials. These are called Adversary-in-the-Middle (AiTM) attacks — attackers create fake Microsoft login pages that look real but secretly capture your username, password, and even your MFA codes.

This is especially a risk for those of us who:

• Travel often and sign in from hotels, airports, or coffee shops

• Handle a large number of customer emails and shared document links daily

Here’s how to protect yourself:

1. Always Check the Link Before You Click

• Hover your mouse over any link in an email before clicking.

• Official Microsoft 365 logins should only ever start with:

  • https://login.microsoftonline.com/

  • https://outlook.office.com/

• If the link looks strange, has extra words, or doesn’t match Microsoft’s domains — don’t click it.

2. Don’t Trust “Shared Document” Emails Blindly

• Attackers often send fake “Someone shared a document with you” messages.

• Instead of clicking the email link, go directly to:

  • OneDrive / SharePoint / Teams via your normal apps or Office.com.

• If the document is real, you’ll find it there.

3. Protect Your Credentials

• Never enter your Microsoft 365 password into a site reached from an unusual or unexpected email.

• If you’re unsure, stop and contact IT before entering anything.

• Do not reuse passwords from other websites.

4. Use MFA Correctly

• If you get an MFA prompt unexpectedly (you’re not actively signing in) — do not approve it.

• Report it to IT immediately. This could mean someone is trying to use your stolen credentials.

5. Traveling? Stay Secure

• Avoid logging in from public WiFi (airports, hotels, cafes) without a VPN.

• When traveling, let IT know your city/state so unusual login locations don’t trigger false alarms.

• Be extra cautious about emails while traveling — attackers know road warriors are more distracted.

6. Signs You May Have Been Compromised

• Unexpected password resets or MFA prompts

• Emails sent from your account that you didn’t write

• New rules in Outlook (e.g., forwarding all mail to another address)

• Microsoft login page that “flickers” or reloads multiple times before logging you in (a sign of AiTM proxying your session)

If you notice any of these, contact IT immediately.

7. What to Do If You Slip Up

• If you think you accidentally entered your credentials into a bad link:

  1. Call IT right away.

  2. Change your Microsoft 365 password immediately.

  3. We’ll help review your mailbox for suspicious activity and secure your MFA.

✅ Bottom Line: Slow down before you click. If in doubt, don’t log in — ask IT. Protecting your credentials protects not only you, but also our customers and company data.