Microsoft 365 Password Phishing Alert — Don't Click That 'Retain Password' Email

A Fake Microsoft Email Is Hitting Business Inboxes — Don't Click

If you or someone on your team has received an email claiming your Microsoft 365 password will expire in 24 hours with a big blue "Retain Password" button, stop right there — don't click anything.

Customers across the northwest Chicagoland suburbs have been reporting this phishing attempt over the last several days. It's designed to look like an official Microsoft notification, and it's convincing enough to fool even cautious people.

Even worse: this isn't a garden-variety scam. Microsoft's own security team confirmed in April 2026 that this wave is part of an AI-driven device-code phishing campaign targeting 340+ organizations across the US, Canada, Australia, New Zealand, and Germany — and it can bypass multi-factor authentication (MFA) if you click.

What the Scam Looks Like

The phishing email is designed to look like an official Microsoft notification. It typically includes:

• A subject line like "Your password will expire soon" or "Action Required: Password Expiration"
• A generic greeting (no name — just "Dear user" or similar)
• Urgent language claiming your password expires in 24 hours
• A scary warning that you'll "be unable to sign in to email, OneDrive, Teams, and other Microsoft 365 services"
• A big button labeled "Retain Password" — this phrase alone is a giveaway, because Microsoft never uses it
• A fake reference code (something like Ref- 23132e59b8afbc4ab34698) to look official
• Microsoft branding and footer ("© 2026 Microsoft Corporation, One Microsoft Way, Redmond, WA")

The email usually renders with slightly off-brand styling — pink-ish backgrounds, awkward spacing, or inconsistent fonts — but someone in a rush wouldn't notice.

Why This Scam Is Especially Dangerous — It Can Bypass MFA

Most phishing attacks just want your password. This one is different.

The attackers use a technique called device-code phishing. Here's the short version: the "Retain Password" link leads you to enter a code on Microsoft's real device-login page at microsoft.com/devicelogin — which is why it feels legitimate. You sign in with your real credentials, approve your MFA prompt, and in doing so you unknowingly authorize the attacker's session instead of your own.

The access token they receive stays valid for hours, and the refresh token behind it can last up to 90 days — even with MFA turned on. Your MFA prompt fires once during that initial sign-in, and from that point on the attackers can refresh their access without triggering another prompt until your IT team explicitly revokes the session.

They target exactly the kind of small and mid-size businesses we serve every day: construction, real estate, manufacturing, non-profits, healthcare, legal, and financial services.

6 Red Flags to Spot This Scam

Before you click any "password expiration" email, check for these warning signs:

1. "Retain Password" button — Microsoft never uses this phrase. Real password actions say "Change password" or "Update password."
2. Generic greeting — "Dear user" instead of your actual name means it's a bulk send.
3. Fake urgency — "24-hour" countdowns are a classic phishing pressure tactic.
4. Random reference codes — Long alphanumeric codes to look official are theater, not legitimacy.
5. Odd styling — Weird background colors, awkward spacing, or off-brand fonts.
6. Vague sender address — Check the actual "from" email address. It's almost never a real microsoft.com domain.

**Key fact:** Real Microsoft password expiration warnings don't come as HTML emails with big "Retain Password" buttons. Even if your organization does enforce password expiration, you'll see those warnings inside your Windows sign-in screen or Microsoft 365 portal — not in an email telling you to click a button. Any "password expired" email with a button is almost certainly a scam.

What to Do If You Already Clicked

Don't panic, but act fast:

1. Change your Microsoft 365 password immediately — from a different, trusted device
2. Sign out of all active sessions in your Microsoft account (Account → Security → Sign me out everywhere)
3. Review recent sign-in activity for anything you don't recognize — different locations, unfamiliar devices, or odd times
4. Tell your IT team or provider so they can check for suspicious account activity, forwarding rules, or mailbox rules you didn't create
5. Re-check your MFA settings — if you were using SMS, consider switching to an authenticator app
6. Watch for unusual emails being sent from your account or invoice fraud attempts in the weeks that follow

If you're not sure how to do any of this — call us. We'll walk through it with you.

How to Protect Your Business Going Forward

A few simple habits protect your team from most phishing attempts:

• Microsoft's default and recommended setting is "passwords never expire" (aligned with NIST guidance). If your organization does enforce expiration, warnings appear in your sign-in screens — not as HTML emails with "Retain Password" buttons
• Never click password links in emails. Instead, go directly to office.com or login.microsoftonline.com in your browser
• Train your team. Most phishing attacks succeed because one person on staff clicks without thinking. A 15-minute training session saves weeks of cleanup
• Use conditional access policies. These can block logins from countries you don't do business in, untrusted devices, or unusual sign-in patterns
• Review user sign-in logs monthly. If something's off, you want to catch it in days, not months
• Enable phishing-resistant MFA (authenticator apps or hardware keys — not SMS)

We're Here to Help

If you're running a business anywhere in the northwest Chicagoland suburbs and you're not 100% sure your team knows how to spot this email — we'd rather hear from you now than after an incident.

REMAC provides Microsoft 365 security reviews, phishing awareness training, and conditional access setup for small and mid-size local businesses. We've been serving the suburbs since 2012.

Call (773) 888-5395 or contact us online for a no-pressure conversation.

Stay safe out there.