Microsoft is warning its Office 365 customers about a widespread phishing campaign to steal usernames and passwords.

The Microsoft 365 Defender Threat Intelligence Team published its findings on its security blog, detailing how the attacks are carried out and what people can do to defend themselves.

The attack works by directing Office 365 users to a Google reCAPTCHA page through a series of links and redirects. Users are taken to a fake login page where their credentials are stolen, leaving them compromised.

According to the Intelligence Team, Google's reCAPTCHA verification method creates a false sense of legitimacy among users who think the entire process is in order.