Microsoft Account Phishing Hit 35,000 People — Am I Safe?

I opened Outlook to check my work email when suddenly a login screen popped up. "Please log in again for security purposes," it said. I was busy that morning so I just quickly typed in my ID and password, but I kept getting errors. I figured it was just an internet issue and moved on… but that could've actually been a phishing site.

Honestly, at first I thought, "No way this is happening to me, right?" But after I saw the news, I literally got chills. It turns out that over 35,000 people across 26 countries worldwide were targeted in phishing attacks aimed at Microsoft accounts. What scared me even more was that it wasn't random — they specifically targeted these people.

---

So what exactly happened?

A security research team recently uncovered a large-scale phishing campaign targeting Microsoft accounts (you know, fake websites and emails that steal your personal info). A hacking group that's been active since 2024 targeted over 35,000 people across 26 countries.

Here's the key point: these were targeted attacks. Not just spam sent out to everyone, but carefully chosen attacks on specific companies, specific job titles, specific individuals. Apparently, people working in finance, consulting, healthcare, and law firms were hit the hardest. They were going after people who handle sensitive information.

The scariest part is the technique they used. They employed something called "Adversary-in-the-Middle" (MITM attack). Basically, hackers inserted a fake relay server they created right in front of the real Microsoft login page. So even if I log in to what looks like the real address, my ID, password, and even my two-factor authentication code get handed straight over to the hackers.

---

Wait, you're saying they got people even with two-factor authentication turned on?

This is what really shocked me. I thought, "Well, I have two-factor authentication (OTP) enabled, so I should be fine," right? But this technique completely bypasses it.

Here's how it works: I enter my ID and password on the fake site → the hacker's server receives it and enters it into the real Microsoft server instead → the real server then shows "Please enter your OTP code" → that screen gets sent back to me → I enter the OTP → the hackers intercept that too and complete the real login themselves.

This whole process happens in real-time, in just seconds. I think I'm just logging in normally, but my account is already in the hacker's hands. For real.

---

For those who think, "Not me though"

These attacks usually start with just one email. Something like "We detected suspicious login activity on your account," "Our security policy has changed, please re-authenticate," or "You have a shared file." If it looks obviously sketchy, you wouldn't fall for it, right?

But here's the thing — it comes from your boss or colleague's name. This hacking group apparently researched the company's internal structure beforehand and spoofed emails from actual executives and team leads. When you're swamped with work and your team lead sends you a link saying "Can you check this file real quick?" you just click without thinking.

Even security experts say that if the context feels natural enough, they get confused. For regular folks like us, it's honestly really hard to tell in the moment.

---

Here's actually how it happens — a scenario

One day you get an email at your work address. The sender looks exactly like your company's IT department. The message says: "Your Microsoft account security update is required. Please verify through the link below." You click the link and see a real-looking Microsoft login screen. The address bar even looks about right.

You log in and get a screen saying "Please enter your OTP." You punch in the authentication number from your phone and get a "Verification complete" screen. You think, "Ah, I guess I did need that security update," and move on. But at that exact moment, the hacker has already logged into your account.

From there, the hacker digs through your emails, extracts client information, company secrets, and coworker contacts. In the worst case, they send phishing emails to your colleagues using your name. If one person's account gets compromised, the whole company becomes vulnerable.

---

So what can I actually do about it? Things you can do right now

① Use Passkeys or FIDO2 Security Keys

Given that even OTP can be breached like in this attack, the strongest defense is Passkey. Passkeys let you log in with your fingerprint or face recognition instead of a password. Since there's no code to intercept in the middle, man-in-the-middle attacks don't work. You can enable it right now in your Microsoft account settings.

② Pause for 3 seconds before clicking links

Never just click on links in emails. If you hover your mouse over a link, the actual URL appears in the status bar at the bottom. If it's not microsoft.com, it's definitely a phishing site. On mobile, try long-pressing links to preview the actual URL.

③ Get in the habit of typing addresses directly

If you need to log in, skip the email link and type the address directly into your browser. It's more of a hassle, but this is genuinely the safest way.

④ Check your Microsoft account's recent login activity

Go to account.microsoft.com → Security → Login activity to see everywhere you've logged in from recently. If you spot an unfamiliar country or device, change your password immediately and terminate all sessions.

⑤ Report it to your company's IT team

If you receive a suspicious email, don't judge it yourself — report it immediately to your company's IT department or security team. If your account gets compromised, your coworkers are at risk too. Don't stay quiet just because you're embarrassed.

---

Frequently Asked Questions (FAQ)

Q: Are Google accounts and Naver accounts safe?

A: Honestly, this isn't just a Microsoft problem. The man-in-the-middle attack technique used here can be applied to Google, Naver, Kakao, and any other service. The more you use an account for work, the more careful you need to be. If a service supports Passkey, switching everything to Passkey is the safest bet.

Q: I already clicked on a suspicious link — what do I do?

A: Don't panic first. If you actually logged in, go directly to your Microsoft account website right now and change your password, then terminate all unfamiliar sessions in your login activity. If it's a work account, you need to notify your IT team immediately. If you just clicked the link without entering anything, you don't need to worry too much, but it's a good idea to run your antivirus program anyway.

Q: Is it really true that accounts get hacked even with two-factor authentication (OTP) enabled?

A: Yes, as confirmed in this incident, standard OTP methods using texts or apps can be breached by man-in-the-middle attacks. However, Passkey or FIDO2-based hardware security keys are immune to these attacks. You should seriously consider upgrading to a stronger authentication method than OTP.

---

When security comes up, people tend to think, "Well, I'm not that important anyway, so I should be fine." But after seeing this attack, what I realized is that hackers don't target "important people" — they target "people connected to a company." Your single account could be the key that opens the door to an entire company.

You only need to do one thing today. Go into your Microsoft account and just check your recent login history once. It takes less than 5 minutes and could help you catch something before it becomes a real problem. Do it right now, seriously 😊

View original article

#MicrosoftPhishing #AccountSecurity #PhishingPrevention #TwoFactorAuth #Passkey #CyberSecurity #WorkplaceSecurity #PrivacyProtection