"Unusual Sign-In Activity" Microsoft Email — Scam or Legitimate?
An email claiming to be from Microsoft says there's been unusual sign-in activity on your account. It may look convincing — the logo, the layout, even the sender address. But many of these emails are phishing attempts. Here's how to check if it's real.
Think this email is a scam?
Forward it to us and get a free risk assessment in under 60 seconds.
How This Scam Works
High Risk — Difficult to Distinguish From Real Alerts
Microsoft does send genuine sign-in alerts, which makes this scam particularly deceptive. Always verify by going directly to account.microsoft.com instead of clicking email links.
You receive an email that appears to be from Microsoft warning about unusual sign-in activity on your account. It may include details like a location, IP address, and time to appear legitimate. The email asks you to review the activity by clicking a "Review recent activity" button.
This scam is especially effective because Microsoft genuinely sends sign-in notifications that look very similar. The fake version leads to a credential-harvesting page that captures your Microsoft account login, potentially giving scammers access to your Outlook email, OneDrive files, and any connected services.
Microsoft reported blocking over 35.7 billion phishing emails in 2023 through their security systems, with account sign-in alerts being one of the most commonly impersonated email types.
Red Flags
- Sender address is not from @accountprotection.microsoft.com
- The 'Review activity' link doesn't point to microsoft.com or live.com
- Sign-in details don't match any device or location you've used
- Email asks you to enter your password on a linked page
- Contains a sense of urgency — 'If this wasn't you, your account may be compromised'
The distinguishing factor is the link destination. Hover over any buttons in the email — legitimate Microsoft security emails link only to account.microsoft.com or microsoft.com domains.
What You Should Do
What To Do
- Do not click any links in the email
- Open a new browser tab and go directly to account.microsoft.com
- Review your recent sign-in activity under Security > Sign-in activity
- If you see unfamiliar activity, change your password immediately
- Enable two-factor authentication if you haven't already
How to Verify Legitimately
Go to account.microsoft.com and sign in. Click on Security, then Sign-in activity. This shows you every recent login attempt with the location, device, and browser. If the activity mentioned in the email doesn't appear here, the email was fake. If it does appear and you don't recognize it, change your password and enable two-step verification.
Sources
- Microsoft Digital Defense Report 2023 — Phishing email blocking statistics
- Microsoft Support: Protect your account