SCAM CHECK

Is This Microsoft Account Recovery Email A Scam?

Got an email saying someone tried to sign into your Microsoft account from Moscow — click here to secure it? Here’s how to tell a real Microsoft alert from a phishing trap.

Updated May 25, 2026 · By SmartOne · 5 min read

Some links in this guide pay us a small commission. We only recommend tools we use and trust. It never costs you extra, and it helps keep the lights on at Making Sense Of Security.

The Short Answer

Yes, This Is Likely A Scam If…

The "Secure Account" button doesn’t go to account.microsoft.com (hover over it to check), the sender domain isn’t exactly @microsoft.com, or the email pressures you to act in under an hour. Real Microsoft alerts log to your account’s recent activity page — verify there, never via the email link.

Quick Risk Checklist

If any of these match the message you got, treat it as a scam until you’ve verified directly with the real company or agency.

  • The sender’s domain isn’t exactly @microsoft.com (look for typos: microsft, micr0soft, microsoft-support.com).
  • The "Secure Account" or "Review Activity" button hovers to a non-microsoft.com URL.
  • The email mentions a foreign sign-in attempt (Russia, China, Brazil) to spike urgency.
  • It says your account will be suspended in under an hour if you don’t click.
  • It includes a screenshot or table of fake login details to look legitimate.
  • You don’t use the email address it was sent to for any Microsoft service.

What The Scam Looks Like

Here’s the actual wording from a real scam — links are defanged so you can’t accidentally tap them.

From: Microsoft Account Team <security@microsoft-account-recovery.com>
Unusual sign-in activity: Someone attempted to access your account from Moscow, Russia (IP 185.234.218.42) at 03:14 GMT. If this wasn’t you, secure your account within the next 60 minutes:
https://account-microsoft-recovery[.]com/secure
— Microsoft Account Protection Team

“Defanged” means we replaced the dot in the URL with [.] so it can’t be clicked. Scam URLs stay unclickable on this page on purpose.

What To Do Right Now

If you got this and haven’t tapped anything yet, here’s the order of operations.

  1. Don’t click the link in the email. Even a single click can fingerprint your device.
  2. Open a new browser tab and type account.microsoft.com directly. Sign in.
  3. Check Recent Activity at account.microsoft.com/security/signinactivity. Real sign-ins (yours or attempted) show up there.
  4. Forward the email to Microsoft at phish@office365.microsoft.com, then delete it.

What If You Already…

Don’t panic. Most damage is undoable if you act quickly. Pick the one that applies and follow the recovery steps.

… Clicked The LinkRecovery Steps →
… Logged In On A Fake PageRecovery Steps →
… Entered Payment InfoRecovery Steps →
… Shared A CodeRecovery Steps →
… Installed SoftwareRecovery Steps →
… Sent MoneyRecovery Steps →

Recovery Library is in build. These links go to placeholder pages until those guides ship.

How To Verify A Microsoft Security Alert Safely

  1. Hover over the button (don’t click). The URL should start with https://account.microsoft.com, https://login.microsoftonline.com, or https://security.microsoft.com. Anything else is fake.
  2. Check the full sender address, not just the display name. Real Microsoft emails come from @microsoft.com, @accountprotection.microsoft.com, or @email.microsoft.com.
  3. Log into account.microsoft.com directly and check your sign-in activity yourself. Real attempts will be logged there.
  4. Turn on Microsoft Authenticator for sign-in approval, so attempted sign-ins prompt your phone — much harder to phish.

Where To Report A Microsoft Phishing Email

Take The 60-Second Scam Check Quiz

Eight quick questions about the message you got. We’ll give you a risk score and what to do next.

Scam Check Quiz

Is This Microsoft Account Recovery Email A Scam?

Answer Yes or No for each. We’ll give you a score and 3 specific next steps.

Common Questions

Does Microsoft Actually Send Sign-In Alerts?

Yes. Real Microsoft alerts go to the email tied to your account, log the same event in your account’s Recent Activity, and ask you to verify by signing in — not by clicking a button in the email.

What If The Email Looks Identical To A Real One?

Phishing emails copy real templates pixel-perfect. The giveaways are always (a) the sender domain, (b) the button URL when you hover, and (c) urgency language. Real alerts don’t threaten suspension in 60 minutes.

I Already Entered My Password — What Now?

Change your Microsoft password immediately at account.microsoft.com. Turn on Microsoft Authenticator for 2-step verification. Then sign out all devices from the security page so the attacker’s session is killed.

Should I Use The Phone Number In The Email?

No. Real Microsoft emails almost never include a phone number for support. Any number in the email body is for the scammer’s call center.

Can Microsoft Tell If My Account Has Been Hacked?

Partially. They flag clearly unusual sign-ins (different country, new device, impossible-travel speed) and may temporarily lock the account. But many account takeovers happen with credentials that work — so the gold standard is to enable Authenticator app sign-in and disable passwords entirely.

Free Download

Microsoft Account Email Scam Check — Printable Checklist

One-page printable. Stick it on the fridge or save it to your phone.

Download The Checklist (PDF)

Related Guides

Last updated May 25, 2026 · Written by SmartOne · Comments disabled on Scam Check pages

Stay In The Loop

Weekly: the 3 scams trending this week — 2-minute read. No spam.

We won't send you spam. Unsubscribe any time.