[German]I'm pick up on a topic that is somehow already known in this form. Owners of Microsoft Office 365 accounts receive appointment invitations that claim that an action needs to be carried out. But in the background is a phisher who is trying to rip off victims. I have now come across a case where the emails come from Microsoft.
Advertising
Information from a reader
German blog reader Lars S. contacted me in a short email on May 22, 2025 and wrote that the topic of "phishing emails in connection with Office365 accounts and appointment invitations" was already known. What is new for him, however, is the fact that these "appointment invitations are currently coming from or on behalf of Microsoft (see screenshot below).
The invitation pretends to come from billing.microsoft.com or Microsoft Billing and the subject line suggests that a payment has failed (ACTION REQIRED: Microsoft 365 Payment Failure).
The recipient is supposed to accept or reject the "appointment" – and the screenshot shows an HTML file that supposedly refers to a Microsoft 365 Secure Payment Portal. Unfortunately, I don't have any further details, so I can't say what happens when the file is selected – presumably the phishing page opens.
The reader writes that the people contacted have Microsoft 365 accounts and adds that Microsoft is apparently unable to filter out or recognize these phishing attacks from the notifications.
Advertising
The scam is already known
I did some quick research – there must have been a campaign in mid-May 2025. The people at MailGuard already published a warning on May 19, 2025 in the form of the article Subscription Phishing Scam Harvests Personal & Financial Data.
Phishing message, source: MailGuard
The "alert" states that MailGuard has intercepted a new phishing email campaign (see image above) aimed at fooling Microsoft 365 users with a fake notification about renewing their subscription. In the above warning, the attack begins with an email purporting to be from "Microsoft Billing" (see image above), alerting the recipient that their Microsoft 365 subscription could not be renewed.
In the case of the reader described above, however, no e-mail was sent, but an appointment invitation with the same thrust. In all cases, a sense of urgency is created and the time is blocked in the victim's diary to force them to act quickly.
There is a major campaign underway, MailGuard writes, and the notification is intended to entice victims to open a malicious .htm attachment. The target page that is then displayed imitates a legitimate Microsoft billing portal.
Microsoft billing fake page, source: MailGuard
Victims are asked to enter their credit card and contact details under the pretense of a monthly bill for 5.29 dollars. The email or appointment invitation does not come from Microsoft, but from a compromised (.store) domain. The attachment is a phishing trap designed to steal data (credit card details, personal and company details or email credentials).
According to MailGuard, the campaign has been carefully designed to bypass the usual email filters and exploit trust in the Microsoft brand. At the end of the day, however, it boils down to fraud. Perhaps warn users in the company accordingly. Thanks to the reader for the tip.
Incidentally, the scam is not new, there was already this Microsoft Answers forum post in 2023, and I also found this forum post on similar approaches in 2024.
Incidentally, the whole thing is nothing completely new, there was already this Microsoft Answers forum post in 2023, and I also found this forum post on similar approaches in 2024.
Another reader report
After publishing the German edition of this blog post, another blog reader got in touch. He had received exactly the same emails and meeting invitation, as described in the article, in his Office O365 calendar. The reader wrote: "However, this was not sent to me personally, but to a mailing list in which quite a few colleagues from my company are added." Here are some screenshots of the email and the calendar entry.
The required source code for the HTML page to be displayed is then generated dynamically using a script.
Advertising
