“Unusual sign-in activity on your Microsoft account.” Microsoft really does send this exact email — and it’s one of the most-spoofed messages on the internet. If one just landed in your inbox, here’s how to tell the genuine alert from the fake, and the safest way to check.
Published 17 July 2026 · ~7 min read · By the Phixo team
The subject line alone is enough to spike your pulse: “Microsoft account unusual sign-in activity.” Someone, somewhere, may have just tried to get into your email, your OneDrive, your saved files. The message offers a button to review the activity — and every instinct says to click it right now.
Here’s what makes this one genuinely tricky: Microsoft sends this exact email, routinely. Any unusual login or failed sign-in attempt on a Microsoft account can trigger a real alert. Scammers know you’ve seen the genuine version before, so they copy it almost perfectly and swap the button for a fake login page. The good news: real Microsoft alerts follow consistent rules, and the fakes almost always break at least one. Here’s how to check in under a minute.
Treat a Microsoft sign-in alert as fake if any of these are true: it comes from an address that isn’t on a microsoft.com domain, it threatens to suspend or close your account within hours, it asks you to “verify” your password or payment details, or it carries an attachment. The single most reliable move: don’t click anything in the email. Open a fresh tab, type account.microsoft.com yourself, and open Security → Sign-in activity. Every real sign-in and sign-in attempt is listed there. If the email’s warning isn’t reflected in that list, the email is the fake — not the login.
Knowing the genuine pattern makes the fakes stand out:
Important nuance: a real “unusual sign-in activity” email often refers to a failed attempt — someone trying an old leaked password against thousands of accounts, including yours, and getting blocked. Alarming to read, but it usually means the system worked. The fake weaponises that exact fear to rush you onto a lookalike login page.
The display name — “Microsoft Account Team,” “Microsoft Security” — is trivial to fake. The address behind it is harder. Tap or click the sender name to reveal the full address and read the part after the @.
Real alerts come from account-security-noreply@accountprotection.microsoft.com. The key is the registered domain: accountprotection.microsoft.com is a subdomain of microsoft.com. microsoft-account-alert.com is a completely different domain that merely contains the word “microsoft.”
“Verify within 24 hours or your account will be permanently suspended.” Microsoft doesn’t suspend your account for ignoring a sign-in notification — that would make no sense; the notification exists to protect the account. Urgency plus a threat is the oldest pressure combination in phishing, and it’s there to stop you from doing exactly what this article suggests: checking calmly through the official site.
Before clicking, hover over the button (or press and hold on mobile) to preview the true destination.
A genuine review link lives on account.live.com or account.microsoft.com. If the destination is a different domain, a shortened URL, or a raw IP address, don’t click.
That last pattern catches even careful readers: the address starts with the real domain, but everything before the final two segments is just a subdomain the scammer created. Read domains from the right: the registered domain is the part immediately before the last dot-something.
The entire purpose of a phishing page is to capture what you type. A real Microsoft alert only asks you to look at your activity. Any “security alert” that routes you to a form demanding your password, a code, or card details should be treated as hostile.
Microsoft knows your name and usually addresses the account by its email address. “Dear User” or “Dear Customer” in a security alert is a strong tell that the message was blasted to a list, not generated for your account.
Every sign above helps, but one move beats them all because it takes the email out of the equation entirely: check your sign-in activity at the source.
If the email’s warning isn’t reflected in that list, the email is the fake — not the login. And if you do see an attempt you don’t recognise, you can secure the account from that same page — change the password, sign out other sessions — without ever touching the email.
This verify-at-the-source habit defends you against nearly every brand-impersonation scam. It’s the same principle we walk through for the fake Google “security alert” email — the Google and Microsoft versions of this scam are near-identical twins.
Three things make the Microsoft version unusually effective. First, the real email exists and is common — if you use Outlook, Xbox, OneDrive or Windows, you’ve probably received a genuine one, so the fake arrives pre-trusted. Second, a Microsoft account is a master key: email, files, purchases, sometimes your Windows login itself — the fear of losing it all is strong enough to override caution. Third, the real alerts are often about failed attempts, so people have learned these emails sometimes really do mean someone is probing their account.
A convincing fake copies Microsoft’s layout, logo and wording exactly. That’s why appearance is the wrong thing to judge on. The reliable tells — the sender domain, the true link destination, and whether the activity actually appears at account.microsoft.com — are things a scammer can’t fake by copying a template. If you want to see the technical trail an email leaves, our free email header analyzer shows where a message really came from and whether it passed authentication.
Don’t panic — act quickly. Go to account.microsoft.com directly (not through the email) and:
We’ve written a calm, step-by-step guide for exactly this moment: what to do if you clicked on a phishing link. And to get sharper at catching these before they catch you, see the 8 warning signs of a phishing email.
Yes. Microsoft genuinely emails you when it notices a sign-in or sign-in attempt that doesn’t match your usual pattern — from account-security-noreply@accountprotection.microsoft.com. Real alerts include the date, approximate location and device of the attempt, and link only to Microsoft’s own domains. Because these real alerts are so common, scammers copy them closely.
A real alert comes from a microsoft.com address, shows the specific sign-in details, never asks for your password or payment inside the email, and links only to account.microsoft.com or account.live.com. Treat it as fake if the sender domain is anything else, if it threatens to suspend your account within hours, or if it asks you to confirm credentials or card details.
Don’t click anything in the email. Open a new tab, type account.microsoft.com yourself, sign in, and open Security → Sign-in activity. Every recent sign-in and attempt is listed there. If the email’s warning isn’t reflected in that list, the email is the fake, not the login.
Phixo is a browser extension that checks the email open in your Gmail or Outlook against several of the signals above — sender and domain reputation, link mismatches, lookalike domains, and email authentication (SPF, DKIM, DMARC) — plus an AI read of the language, and flags anything suspicious in seconds. Free plan includes 10 scans a day, no credit card. A one-time Google or Microsoft sign-in keeps your scan count tied to your account.
Install Phixo free →Your email body is never stored. Analysis happens in real time and is discarded immediately.