Recently, I got speared phished. I want to show you how to find out if the email you got is fake. This article will guide you through everything that will help you to take an extra security measure and don’t overlook the little things in hurry.
This email id is my working email and I do not share it with unimportant people. So lets take a look.
First of all, You will never receive such an email from Microsoft team “If you want to upgrade your account or it will be deactivated”. Companies don’t send such emails. They just ask you if you are okay with the current account or you want an upgrade(upgrade with Onedrive or any of there commercial product).
Secondly, the mistake “Dear Outlook User.” with a period if you look closely.
Thirdly, it is saying Verify Your Account and tries to hide the actual address in the button format. They have used “bit.ly” which is a link shortening website, so the link is not showing whereas, Actual Company emails always show the link. They write the link without giving you a button.
Fourth point is, It is sent by Microsoft admin. Lol! Who is that Microsoft admin who will send you that? No company’s admin send such emails.
okay, Now moving on to the next step, When I clicked on “Verify Your account”. I got redirected to this url:
"https://dunyabayrak.com.tr/wp-content/uploads/2018/02/new2step/newauto2.php?iloveyou=&id=6ff6b54df30130195f85f369faa2fc196ff6b54df30130195f85f369faa2fc19&session=6ff6b54df30130195f85f369faa2fc196ff6b54df30130195f85f369faa2fc19&session2=g>6ff6b54df30130195f85f369faa2fc196ff6b54df30130195f85f369faa2fc19&session3=6ff6b54df30130195f85f369faa2fc196ff6b54df30130195f85f369faa2fc19"
and the page looked like:
Look at this URL closely. It doesn’t look like Microsoft domain. Plus, the wp-content? kidding me? Microsoft have their own servers. They will never use wordpress for their urls.
Now, Look at the content of the url. It is again asking me for my Microsoft account details. They will never ask for that. Why? Because I am already logged in. They could ask for my password for verification but not the email id again because they already have my session.
I used Inspect element to see the action for this form and the code looked like this:
step2.php is the action file, Could be legit but then “name=chalbhai” and “input name=iloveyou“. Indian Hacker. *Sign*
The above image shows the password submitting php file which is d0ns00p82.php, not a legit file for Microsoft password check.
When I wrote password(Not my own obviously!), It shows this: 
That simply means that It will never accept the password even if it is right. It will keep on asking you like in an infinite loop and you will get frustrated and close the tab finally.
That is it folks,
Stay Safe.