Security advisory: Phishing Alert - Fake Microsoft Quarantine Emails Targeting M365 Users

Our Attacker Behavior Analytics (ABA) monitoring has identified an active phishing campaign impersonating Microsoft 365 Quarantine notifications. The attackers’ goal is simple: steal user credentials by directing recipients to a fake Microsoft login page. 

These emails look convincing, carry urgent language, and mimic real Microsoft formatting. Here’s what to watch for and what to do if one lands in your inbox. 

What the Fake Emails Look Like 

Attackers are sending messages that: 

• Claim you have emails “blocked,” “quarantined,” or “held for review” 

• Use subjects like “ATTN,” “Action Required,” or “Quarantine Notification” 

• Feature Microsoft logos or templates 

• Show a single “blocked” message from something like hr@company-name 

• Link to a fraudulent Microsoft login page designed to harvest credentials 

These emails are engineered to look routine which is why they work. 

How to Verify Real Microsoft Alerts 

Legitimate Microsoft quarantine notifications: 

• Come from quarantine@messaging.microsoft.com 

• Never direct you to sign in through an unfamiliar URL 

• Can be reviewed safely only at: 
  https://security.microsoft.com/quarantine 

If anything looks off, stop. Hover over links and confirm the sender before taking action. 

What To Do If You Receive One 

If a suspicious email hits your inbox: 

• Do not click any links 

• Do not enter your Microsoft credentials 

• Do not download attachments 

• Report it using Outlook’s built-in “Report” button 

Reporting helps your organization stop the attack from spreading. 

If You Already Clicked or Entered Information 

Take action immediately: 

• Notify your IT or security team right away 

• They can check for unusual sign-in activity 

• They will guide you on whether your password needs to be reset and what next steps are required 

Fast reporting limits the impact and reduces the attacker’s window of opportunity. 

How ISI is Responding 

Through ABA monitoring, ISI is: 

• Tracking indicators associated with this phishing campaign 

• Identifying and blocking malicious sender domains 

• Notifying Microsoft of observed phishing activity 

• Monitoring for related or follow-up attempts across environments 

Early detection allowed us to alert clients quickly and help reduce the risk of credential theft. 

Why This Campaign is Effective 

Attackers rely on: 

• Familiar branding 

• Urgent language 

• The expectation that quarantine emails require quick action 

Because many contractors use Microsoft 365 for business-critical communication, including workflows involving sensitive data, credential theft remains a high-value target for attackers. 

How to Strengthen Your Organization’s Defenses 

A few steps can significantly reduce risk: 

• Train users to verify sender addresses 

• Enforce multifactor authentication (MFA) everywhere 

• Use sensitivity labeling and conditional access where possible 

• Enable enhanced phishing protection in Microsoft Defender 

• Regularly review sign-in logs for anomalies 

Awareness plus strong controls dramatically limit attacker success. 

Stay Alert 

Phishing campaigns evolve quickly. ISI will continue monitoring this activity and share updates if tactics change or new variants emerge. 

Your vigilance protects both your organization and the broader Defense Industrial Base. 

-ISI Cybersecurity Team