Cybersecurity specialist MailGuard has intercepted a new phishing campaign targeting Microsoft 365 users, using “advanced deception techniques” to steal credit card and personal identity information.
According to MailGuard, the “fraudulent email — falsely branded as a Microsoft 365 billing alert” — claims a subscription renewal has failed and prompts recipients to “verify” the transaction. Attached to the email is a malicious .htm file mimicking a Microsoft billing portal, alongside a deceptive calendar .ics invite to heighten urgency.
Key threat indicators:
- Spoofed sender: Appears to come from Microsoft Billing
- Actual origin: A compromised third-party .shop domain
- Attachments:
.htm phishing page to harvest sensitive information
.ics calendar invite to increase perceived legitimacy - Objective: Theft of personal data and credit card credentials
{loadposition peter}
MailGuard says this attack is particularly dangerous because it disguises a malicious .htm file as a legitimate Microsoft billing notice. When opened, the file launches a phishing form that mimics a Microsoft 365 payment portal, prompting users to enter credit card details, personal information, and corporate email addresses. By weaponising a trusted file format and leveraging brand familiarity, the scam bypasses traditional email security filters and exploits user trust to steal sensitive data.
Mailguard says 100% blocked and its advanced detection models stopped this threat before user impact, identifying and intercepting the attack in real time.
“Impersonation attacks like this erode trust in globally recognised platforms like Microsoft 365,” said Craig McDonald, CEO of MailGuard. “They exploit the familiarity and credibility of major brands to trick even savvy users. Speed of detection is critical — and that’s where our technology excels.”
By way of background MailGuard notes:
Microsoft remains the most impersonated brand in global phishing attacks, according to multiple cybersecurity intelligence reports. As threat actors increasingly use AI-generated content and trusted domains, inline threat prevention is essential to protect businesses from credential theft, data breaches, and reputational damage.