This is also a problem for organizations internally.
I have a university email where IT tries to train people to recognize legitimate vs phishing emails by whether the login is on some onmicrosoft.com domain no one remembers. It then mangles all links in emails, so users without clients that demangle them can't actually see whether a link goes to that domain. And, of course, legitimate logins often involve redirects. With wide use of SSO, users can also expect login screens to appear while in a variety of vaguely related places, from journals, to news sites, to various subscription services. This is in the context of a login system that always requires otp, regardless of 'remember this device' settings, practically ends up needing at least one login per week for staff, and reportedly, can require students log in (with otp!) multiple times per day, so the login process is so frequent it is trivialized, and being careful with each login would take an enormous amount of time in total.
To further confuse things, IT repeatedly sends out fake phishing emails with links to Microsoft-owned domains with valid Microsoft SSL certificates.
I expect IT would respond that these arrangements satisfy all requirements they have, and that the solution is more user training and online webinars.
It seems like Microsoft has some sort of fake phishing system with all of these ridiculous properties, which many organizations then use.
The first time I received one, I initially thought our email server had been compromised, because rather than realizing it was a fake test, my mind went from "Why was this obvious phishing email not caught by the spam filter?" to "How does this email not have Received headers!?" to "How does an obviously fake login page have a valid Microsoft SSL certificate on a validly Microsoft-registered domain name and a Microsoft-ASN IP address!?" to "How much of the university's infrastructure would have to be compromised for an attacker to do that!?".
I have a university email where IT tries to train people to recognize legitimate vs phishing emails by whether the login is on some onmicrosoft.com domain no one remembers. It then mangles all links in emails, so users without clients that demangle them can't actually see whether a link goes to that domain. And, of course, legitimate logins often involve redirects. With wide use of SSO, users can also expect login screens to appear while in a variety of vaguely related places, from journals, to news sites, to various subscription services. This is in the context of a login system that always requires otp, regardless of 'remember this device' settings, practically ends up needing at least one login per week for staff, and reportedly, can require students log in (with otp!) multiple times per day, so the login process is so frequent it is trivialized, and being careful with each login would take an enormous amount of time in total.
To further confuse things, IT repeatedly sends out fake phishing emails with links to Microsoft-owned domains with valid Microsoft SSL certificates.
I expect IT would respond that these arrangements satisfy all requirements they have, and that the solution is more user training and online webinars.