We’ve all seen them: the “Urgent Action Required” email from ‘Microsoft’ or the “Problem with your Invoice” message that looks like it’s from a trusted vendor. The problem is, attackers are masters of disguise, and their fake emails look more real every day.
Now, with generative AI, they can create perfectly written, personalized messages at a massive scale, making it even harder to tell real from fake. These new tactics are getting much better at slipping past traditional security filters.
Clicking one bad link is all it takes to hand over your password or unleash ransomware. That’s why phishing awareness isn’t just an IT problem—it’s everyone’s problem. Let’s break down the seven red flags you can look for to spot these attacks before they do damage.
1. The Sender Looks Familiar, But the Domain Doesn’t
Phishing emails often spoof a trusted name but hide behind a look-alike domain. Expand the sender details to see the actual address, not just the display name.
From: Microsoft Security <support@m1crosoft-security.com>If the domain doesn’t exactly match the organization’s legitimate domain (for example, microsoft.com or microsoftonline.com), it’s a red flag. Attackers swap letters (“1” for “l”), add hyphens, or use foreign TLDs.
2. Links Don’t Match the Text
Hover over any link before clicking. What looks like a trusted URL may actually redirect to a malicious site.
Reset your password → https://login.microsoftonline.com.recovery-portal.co/Legitimate Microsoft logins end in microsoftonline.com—nothing after the “.com.” Hovering reveals the truth before it’s too late.
Use the Phishing Check tool to safely preview and analyze URLs without clicking them.
When Microsoft Safe Links Makes Things Tricky
Microsoft 365’s Safe Links feature rewrites URLs to protect users from malicious websites. While it helps block known threats, it also makes manual inspection harder—links can appear as long, encoded URLs that hide the original destination.
Example:
https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fitknowledgebases.com%2Flogin&data=...To verify what’s really behind a Safe Link, you can decode it first:
- Microsoft Safe Link Decoder – Instantly reveal the original URL hidden behind Microsoft’s protection layer.
- Phishing Check – View screenshots, WHOIS info, and SSL data for full link analysis.
These tools let you verify links safely, even when Safe Links obfuscates the target domain.
3. Urgent or Threatening Language
Phishing thrives on pressure. “Your account will be deactivated in 24 hours” or “Unusual sign-in detected” are designed to create panic. Train users to pause and verify through official channels before reacting.
4. Unexpected Attachments or File Types
Attackers rely on curiosity. Watch for file names or double extensions meant to trick users:
invoice.pdf.exereport.zipOpen suspicious attachments only in a sandboxed environment or scan them with an internal analysis tool. We may release a tool for this some day, but today i recommend using VirusTotal (if you don’t mind your file being public).
5. Poor Branding and Formatting
While today’s phishing kits can copy logos perfectly, sloppy design is still common. Look for off-center logos, mismatched fonts, or outdated templates. These subtle inconsistencies often reveal automation or rushed campaigns.
6. Authentication or Login Prompts in the Email
Legitimate companies never ask you to re-enter your password or MFA code directly inside an email. Any “login” button should take you to a known, HTTPS-secured site. Always confirm certificates and check for lock icons in the browser.
7. Suspicious Replies and Request Types
Phishing emails often ask for abnormal requests: wire transfers, gift cards, or sensitive data. Even if it appears to come from an executive, verify through a separate channel like Teams, Slack, or a phone call before taking action.
Pro Tip: Even legitimate websites can appear “high-risk” in automated scanners—especially when they use redirects or third-party SSO. That’s why tools like Phishing Check display screenshots, headers, and WHOIS data so you can decide with context.
Phishing Awareness Starts With Habit
Spotting phishing emails isn’t about memorizing every trick—it’s about building slow, skeptical habits. Encourage staff to report suspicious messages immediately, and reward vigilance. Pair this with technical controls like SPF, DKIM, DMARC, and multi-factor authentication for a layered defense.
Use the red flags above to review your inbox daily. Phishing awareness isn’t paranoia—it’s protection.
Try These Related Tools:
Lastly, we are still getting started trying to refine and make these tools better. Here are two ways to support us.
- Next Cat 6 cable purchase: try these out https://amzn.to/3KWglGg
- Buy us some Coffee: https://buymeacoffee.com/itknowledgebases
Leave a Reply
You must be logged in to post a comment.