Trammell HudsonIt's as if Microsoft *wants* people to fall for phishing scams with weird domain names. How am I supposed to know if "microsoftonline dot com" is legit?
jon ellis@th this toot made me nervous, and i've never even used teams!
buherator@th How is uncle Bob supposed to know that microsoft[.]com is legit?
cynicalsecurity 
draeath@cynicalsecurity @th holy shit are you serious!?
Pianosaurus 🕴@th Microsoft's understanding of security is atrocious. I get several popups on my work PC every day asking me to log in, but nothing is telling me which application the popup belongs to.
I can refuse to log in, and have a random selection of Teams, OneDrive, Outlook, etc. stop working; or I can log in and pray it was a real login prompt and not a phishing attempt.
David Chisnall (*Now with 50% more sarcasm!*)It's a weird company on the inside. MSRC has some phenomenal people, who really understand every layer of security. And then product teams that completely ignore their recommendations and don't bother to ask their help because they don't even understand that security is a problem. And an internal operational group that doesn't talk to MSRC, and that MSRC has given up talking to because they just ignore recommendations and chase buzzwords.
@david_chisnall @th I can believe that. I wish at least the teams working on their core backend systems, such as Entra, would listen a bit more. The whole issue with actor tokens (I think it was CVE-2025-55241) left a sour taste in my mouth. One forgotten tenant check, and there were apparently no internal barriers between tenants beyond that point, and no logging. That tells me a lot about their feature-chasing-over-security sensibilities.
daniel lublin@th even if it is legit, i can't understand the message. I guess that's a Firefox thing, but I think I have never see that popup.
Henryk Plötz@th Yes, they do. Did you know that Microsoft actually (yes, really) gives out cash rewards to random users of Microsoft software? They send out e-mails to that effect. All you have to do is click the link. 🤦
(PS: It's hosted on microsoftrewards[.]com but uses a couple of short links from the official aka[.]ms shortener, with links to rewards.bing[.]com which corrobate that it's actually really real.)
David Penfold 
@th It's terrible optics.
But if you're having persistent trouble with multiple MS accounts, login.microsoftonline.com is the place you want to go to nuke cookies so you can use a different account.
Nils Goroll 🕊️
@th nowadays teams works without 3rd party cookies (for me, in firefox). i refused to use it on my main work laptop until it did, and at some point i even had a separate laptop called "dreck" (dirt) for teams, zoom and all that "forced to use" closed stuff
on the more important aspect, all that 2fa and passkey security theatre is totally useless as long as people just log in without questioning legitimacy of the request. and, as others noted, this is the fault of ms, apple and big G alone.
@th related, it is equally ridiculous how enterprises using corp.totallysecuremassmailer.com and corp.contractsigningsimulation.com want to "train" their staff to evade phishing.
WTF USE YOUR COMPANY DOMAIN AND THAT ONLY
SPAM 
r00t f0lds Team# 258829 This is doubly annoying because I believe Microsoft had previously committed to using the .microsoft TLD moving forward specifically to address phishing concerns.
JF 
@th so many companies are doing that kind of shit.
paypal is using so many different domains ... maybe it's a very smart attempt to squat all the domains that the scammers could use
nyanbinary@th i'll once again demand that every company gets one domain only, at least per country...
Chewie@th companies have been doing this crap for decades, and they wonder why users keep clicking on stupid stuff.
지지 ᚠᚱᛖᛃᚨ Daniel 黄法官 CyReVolt@th exactly the same fun I recently ran into because my mail provider decided to outsource to O365 https://mastodon.social/@CyReVolt/115265929605097086