Fake Resume Emails Are Stealing Microsoft Logins: Phended

If you’re the person at your church, school, or small office who checks the email when a resume comes in, this one’s for you. Scammers are sending emails that look exactly like real Indeed job applications. Click the “View Resume” button and you land on a fake Microsoft sign-in page. Type your password, and the scammer is inside your email.

The office manager or secretary who checks the shared inbox at a small nonprofit, church, or clinic
Teachers or school staff who handle job postings
Anyone at a small business who hires a few times a year
Anyone signed into their work email on a computer that uses Microsoft 365 (Outlook, Word, Teams) or Google Workspace (Gmail, Drive)

You don’t need to be “in charge of hiring” to be at risk. If you’re the person who opens the email when a resume arrives, you’re the target.

Security researchers at Menlo Security first spotted the pattern. Four steps:

The email. It looks like a normal Indeed notification. “New applicant for [role]” or “[Name] has submitted a resume”. Here’s the clever part: it often comes from Indeed’s real email system, because the scammer actually did submit a fake application on Indeed with a rigged resume link. Your spam filter lets it through.
The click. You click “View Resume” to see the candidate. Instead of going to Indeed, the link quietly redirects you somewhere else.
The fake sign-in page. You end up on a page that looks exactly like the Microsoft sign-in page (or sometimes a fake Google sign-in, depending on which email you use). Pixel-perfect copy.
The theft. You type your password to check the resume. You probably never see a resume. What the scammer takes is a session cookie, a little piece of data your browser uses to stay logged in so you don’t have to type your password every time. Once they have it, they’re logged into your email as you. No password prompt. No 2-step code. They just walk in.

From there they can read every email you’ve ever received, search for banking messages, forward themselves your contacts, and use your account to send more scam emails to the people you work with. Most small-org email breaches the news reports start this way.

A “sign in to Microsoft” (or Google) page popping up on a website that isn’t microsoft.com or google.com. Always glance at the address bar.
Resume emails for a job your organization never posted
An email link that’s technically from Indeed but pushes you toward signing in with Microsoft to “confirm your identity”
Urgency: “This candidate’s application expires in 24 hours”
Unusual sender addresses. Real Indeed notifications end in @indeed.com, not something like @indeed-hr.com or @indeed-applications.org.

Never sign into Microsoft or Google from an email link. If you want to check something, open a new tab and type the address yourself: outlook.com, office.com, gmail.com, or drive.google.com.
Check Indeed directly. Log in at indeed.com or open the app. If there’s really an applicant, you’ll see them in your dashboard.
Turn on 2-step verification on your work email. It won’t stop session-cookie theft on its own, but it blocks a lot of other attempts. If you have an iPhone or iPad, use the built-in Apple Passwords app or an authenticator app. Our free course Simple Strategies to Be Secure Online walks you through it step by step.
Learn the 4-step check. Sender, language, links, verify. Every scam we cover uses some mix of these tricks. Our How Not to Get Phished course is free, takes about 30 minutes, and you can share the link with the other folks who check your office email.
If you think you clicked. Don’t panic. Go to haveibeenpwned.com and type your work email to see if it’s showing up in breaches. Then go change your email password from a different device if you can. If you’re on Google Workspace, sign out of all devices from your Google account page. If you’re on Microsoft 365, do the same from your Microsoft account. Tell the person who runs your email (even if that person is you, say it out loud so you have a record). Report it to the Canadian Anti-Fraud Centre at 1-888-495-8501.

The scariest part of this one is that your password manager might help the scammer. If you told it to save your Microsoft password, it might fill it in on the fake page automatically. The best defence is also the simplest: type the web address yourself instead of clicking the link. Ten extra seconds, and every trick in this scam stops working.

Related reading: our breakdown of How to Spot Money Mule Recruiters covers the flip side, which is fake jobs aimed at people looking for work instead of at the people doing the hiring.

Want a plain-language walkthrough of the whole 4-step check? Our free course How Not to Get Phished covers it with real screenshots in under 30 minutes.

The office manager or secretary who checks the shared inbox at a small nonprofit, church, or clinic
Teachers or school staff who handle job postings
Anyone at a small business who hires a few times a year
Anyone signed into their work email on a computer that uses Microsoft 365 (Outlook, Word, Teams) or Google Workspace (Gmail, Drive)

You don’t need to be “in charge of hiring” to be at risk. If you’re the person who opens the email when a resume arrives, you’re the target.

Security researchers at Menlo Security first spotted the pattern. Four steps:

The email. It looks like a normal Indeed notification. “New applicant for [role]” or “[Name] has submitted a resume”. Here’s the clever part: it often comes from Indeed’s real email system, because the scammer actually did submit a fake application on Indeed with a rigged resume link. Your spam filter lets it through.
The click. You click “View Resume” to see the candidate. Instead of going to Indeed, the link quietly redirects you somewhere else.
The fake sign-in page. You end up on a page that looks exactly like the Microsoft sign-in page (or sometimes a fake Google sign-in, depending on which email you use). Pixel-perfect copy.
The theft. You type your password to check the resume. You probably never see a resume. What the scammer takes is a session cookie, a little piece of data your browser uses to stay logged in so you don’t have to type your password every time. Once they have it, they’re logged into your email as you. No password prompt. No 2-step code. They just walk in.

A “sign in to Microsoft” (or Google) page popping up on a website that isn’t microsoft.com or google.com. Always glance at the address bar.
Resume emails for a job your organization never posted
An email link that’s technically from Indeed but pushes you toward signing in with Microsoft to “confirm your identity”
Urgency: “This candidate’s application expires in 24 hours”
Unusual sender addresses. Real Indeed notifications end in @indeed.com, not something like @indeed-hr.com or @indeed-applications.org.

Never sign into Microsoft or Google from an email link. If you want to check something, open a new tab and type the address yourself: outlook.com, office.com, gmail.com, or drive.google.com.
Check Indeed directly. Log in at indeed.com or open the app. If there’s really an applicant, you’ll see them in your dashboard.
Turn on 2-step verification on your work email. It won’t stop session-cookie theft on its own, but it blocks a lot of other attempts. If you have an iPhone or iPad, use the built-in Apple Passwords app or an authenticator app. Our free course Simple Strategies to Be Secure Online walks you through it step by step.
Learn the 4-step check. Sender, language, links, verify. Every scam we cover uses some mix of these tricks. Our How Not to Get Phished course is free, takes about 30 minutes, and you can share the link with the other folks who check your office email.
If you think you clicked. Don’t panic. Go to haveibeenpwned.com and type your work email to see if it’s showing up in breaches. Then go change your email password from a different device if you can. If you’re on Google Workspace, sign out of all devices from your Google account page. If you’re on Microsoft 365, do the same from your Microsoft account. Tell the person who runs your email (even if that person is you, say it out loud so you have a record). Report it to the Canadian Anti-Fraud Centre at 1-888-495-8501.

Related reading: our breakdown of How to Spot Money Mule Recruiters covers the flip side, which is fake jobs aimed at people looking for work instead of at the people doing the hiring.

Want a plain-language walkthrough of the whole 4-step check? Our free course How Not to Get Phished covers it with real screenshots in under 30 minutes.

Fake Resume Emails Are Stealing Microsoft Logins

Never miss an alert

Keep reading

Apple's Own System Used to Send Phishing Emails

16 Billion Passwords Just Leaked: Here's Your Move

How to Spot the Fake Jobs That Launder Money