It's as if Microsoft *wants* people to fall for phishing scams with weird domain names. How am I supposed to know if "microsoftonline dot com" is legit?

@th How is uncle Bob supposed to know that microsoft[.]com is legit?

@th not to mention that the latest incarnation of Outlook no longer writes "From:" or shows the address in the preview pane… #golfclap

@th Microsoft's understanding of security is atrocious. I get several popups on my work PC every day asking me to log in, but nothing is telling me which application the popup belongs to.

I can refuse to log in, and have a random selection of Teams, OneDrive, Outlook, etc. stop working; or I can log in and pray it was a real login prompt and not a phishing attempt.

@pianosaurus @th

It's a weird company on the inside. MSRC has some phenomenal people, who really understand every layer of security. And then product teams that completely ignore their recommendations and don't bother to ask their help because they don't even understand that security is a problem. And an internal operational group that doesn't talk to MSRC, and that MSRC has given up talking to because they just ignore recommendations and chase buzzwords.

@cynicalsecurity @th holy shit are you serious!?

@th even if it is legit, i can't understand the message. I guess that's a Firefox thing, but I think I have never see that popup.

@quite @th I think you see this if you increase your security settings. One domain accessing the cookies of another violates what cookies are supposed to be.

This is a very stupid design on MS' part.

@cynicalsecurity @th one needs to turn "smart addresses" on again, then one can turn it of again and they show. Of course (depending on admin server options)they still replace any url with a phishing check page so one cannot check the domain ahead of having to click on it, thus actually detecting phishing is impossible.

@jeroen @th "lovely"

@th It's terrible optics.

But if you're having persistent trouble with multiple MS accounts, login.microsoftonline.com is the place you want to go to nuke cookies so you can use a different account.

@tychotithonus

This is doubly annoying because I believe Microsoft had previously committed to using the .microsoft TLD moving forward specifically to address phishing concerns.

@th i'll once again state that every company gets one domain only, at least per country...

@th companies have been doing this crap for decades, and they wonder why users keep clicking on stupid stuff.