Is accountprotection.microsoft email a legitimate sender of security alerts?
Are the emails from "account-security-noreply@accountprotection.microsoft.com" fake, or are they legitimate?
I have been getting emails from "account-security-noreply@accountprotection.microsoft.com" about unusual activity. The internet has very conflicting information about if these emails are legitimate or not. Microsoft's own website says this is their legitimate sender address for account activity alerts. A legitimate email message should originate from the Microsoft account team at account-security-noreply@accountprotection.microsoft.com.
But here, the Georgia College help desk lists this exact email, from that exact sender address, as a phishing attempt - Many people at GC are receiving one of the more popular phishing scam emails. It appears to be from Microsoft, a “Security Alert'' wanting you to revalidate your account. Know that this is not from Microsoft. It’s a very elaborate phish. Do not click on any link in this email. Please delete it. If you did click on the email, please reset your Unify password (and subsequent email password) at password.gcsu.edu. From: Microsoft account team account-security-noreply@accountprotection.microsoft.com Sent: Monday, April 3, 2017 3:36 AM Subject: Microsoft account security alert
You can not trust that a sender address is correct if its from accountprotection.microsoft email. They are trivially easy to fake.
The SMTP (email) protocol allows the creator of an email to state any sender address they want. There is no validation that the sender actually controls that address. And even if the receiving mail server does some form of sender validation, like checking if the IP address of the sender matches the domain they claim to be from, there are also some quirks in the UI of many email readers which can be exploited to display a (fake) email address as the name of the sender.
When you receive some email which claims that you need to do something on some account on some website, and this appears to be plausible (you actually have an account on that site), then take a good look at the URL the link leads to. The domain name says who controls that link. The domain name is the thing which comes before the first slash.
- These URLs all lead to Microsoft:
- https://microsoft.com/account
- https://account.microsoft.com/account
- https://account.microsoft.com/account?someTrackingId=689392356034706528902345
- The following URLs are examples which do not lead to Microsoft. They all lead to a domains which might be controlled by someone else:
- https://microsoft.com.example.com/account
- https://example.com/microsoft.com/account
- https://example.com/?https://account.microsoft.com/account
- https://example.com/#https://account.microsoft.com/account
- https://totallylegitaccountportaljusttrustme-microsoft.com/account
- https://microsoft.com:microsoft.com@example.com
The last one is an example of a rarely used URL format which includes an username and a password (which are in this case both microsoft.com). The actual URL being requested is after the @ symbol.
If you decided that the link is probably fine, you click on it and get lead to a login form which looks trustworthy at first glance and did apparently not yet install any malware using drive-by download, then you should also check if the site is loaded over HTTPS (any reputable site will use https-only on their login form) and check if the certificate is actually signed for the company the site claims to be.
Some guides for detecting phishing attempts say that you should look for signs like broken images or non-functional links. I consider this bad advice, because it is based on the prejudice that all phishers are shoddy webmasters. The scene got a lot more professional in the past years. You should focus your attention on those things they can not fake with sufficient effort.