Network Security

Security Alert: The “Self-Sender” Phishing Surge

In the last few days, our team has tracked an increase in a sophisticated phishing tactic targeting Microsoft 365 users. Many of our clients are reporting emails that appear to be sent from their own email address to themselves.

Why is this happening?

Cybercriminals are using “spoofing” techniques to trick your email system into thinking the message originated internally. Even with modern security protocols active, attackers are finding small gaps in email filtering to land these messages directly in your Inbox.

How to Recognize the Scam

These emails are designed to create a sense of urgency. Look out for these common “Self-Sender” variations:

  • The Voicemail Alert: An email claiming you have a missed call with an HTML or ZIP attachment named “VoiceMessage.zip.”
  • The Password/MFA Warning: A notification stating your password or Multi-Factor Authentication is about to expire, urging you to “Click here to keep current password.”
  • The Shared Document: A fake notification from SharePoint or OneDrive claiming you have shared a sensitive file with an external party, prompting you to “Review Permissions.”

What You Should Do

  • Verify the Sender: Even if the “From” name looks like yours, hover your mouse over the name to see if the underlying address is actually different, or check if the email has an “External” banner.
  • Think Before You Click: If you didn’t send yourself a file or a voicemail, don’t open it. Microsoft 365 rarely sends password expiration notices that look like standard emails.
  • Report the Email: Use the Report Message or Report Phishing button in your Outlook toolbar. This helps train the global filters to catch these variations faster.

What You Should NOT Do

  • DO NOT open attachments: ZIP, HTML, and PDF attachments in these emails often contain malware or links to credential-stealing websites.
  • DO NOT reply: Replying to the email confirms to the attacker that your account is active and being monitored.
  • DO NOT assume “Internal” means “Safe”: Just because an email appears to come from your domain does not mean it is safe. Treat every unexpected attachment with suspicion.

Our Commitment to Your Security

We are actively working behind the scenes to update “Allow Lists” and transport rules to block these spoofed messages. If you are unsure about a specific email, please contact our support desk immediately.