← All articles Security & vigilance

The simplest trap on the web: how your credentials get stolen.

June 11, 20267 min readF6 Ingénieurs

Cyberattacks are often imagined as highly technical operations. Attackers forcing firewalls, exploiting flaws, bypassing sophisticated protections. The reality is far simpler, and that's precisely what makes it dangerous.

In the vast majority of cases, nobody forces anything at all. You're politely asked to open the door yourself, and you do it without even realising. This technique has a name: phishing. It consists of getting you to enter your credentials, most often for your Microsoft 365 account, on a page that mimics the real one. Once those credentials are in an attacker's hands, your inbox, your documents, and your contacts belong to them. No virus needed, no rare skill required. It's fast, it's free, and it's frighteningly effective.

The typical scenario

It all starts with an email. It often looks perfectly normal: a familiar logo, a professional tone, no apparent mistakes. The pretext varies, but it always relies on the same triggers. A shared document to review, an invoice awaiting payment, a voicemail received, storage space almost full, a password about to expire. The email contains a link or button inviting you to act: "view the document", "verify your account", "reactivate access".

You click. A page opens that looks exactly like Microsoft's usual login screen. You enter your address and password, as usual. Sometimes the page displays a fake error, then redirects you to the real site, so nothing alerts you. But the damage is already done: your credentials have just been captured.

Why a familiar sender is even more dangerous

This is the point we really want to stress. We instinctively distrust a stranger. We lower our guard for a familiar name. Yet the trap email very often comes from the real account of someone you know, simply because that person was already a victim before you. The address is genuine, the signature is right, the message sometimes fits right into an ongoing conversation. Nothing seems fake, because technically the sender really is real. That's what makes this variant so effective: your own trust works against you.

The snowball effect

Once an attacker controls an inbox, they don't stop there. They read the contacts, browse past exchanges, work out who talks to whom, and then write to everyone in the victim's name, making good use of AI's fluency and style along the way. They often reply inside genuinely existing conversation threads, which makes their messages even more convincing. Each new recipient trusts it, because the message comes from a known address, in a familiar context. One compromised account contaminates ten, then a hundred. The progression is exponential, and the original sender is often the last to realise their name is being used to trap their own contacts.

In many cases, the attacker also sets up invisible mailbox rules, for instance to automatically archive or delete certain replies, in order to stay under the radar for as long as possible.

Why this method is everywhere

Because it doesn't target your machines, it targets your attention. Antivirus software or a firewall see nothing go by, since there's no malicious program at all: there's just a web page and a human being in a hurry. That's why no technical protection is ever enough on its own.

Two-factor authentication is always useful. But it has a limit that's often overlooked: it only really protects you as long as you stay wary. When you're convinced a real acquaintance is writing to you, you approve the second code all the more readily, without even thinking about it. Trust disarms the protection, and the trap works despite it. Some advanced attacks can even intercept that code in real time. All the more reason never to rely on a single line of defence, and to keep the right human instinct above all.

What to check before entering anything

Take a few seconds to check the sender's actual address, not just the display name, which can be faked in an instant. Hover over links before clicking, without clicking, to see where they really lead: it's the domain name that matters, not the button text. Ask yourself whether the context makes sense: were you really expecting an invoice, a document, or a shared file? A sense of urgency or pressure is, in itself, a warning sign. On a phone, where it's harder to inspect a link, be doubly cautious.

The simple rule to remember

Remember this

Whenever a link leads you to a page asking for a password, assume you need to be extremely wary. It's the single most protective habit you can build.

And even when everything seems perfectly legitimate, we strongly recommend confirming through another channel. A call, a text, a WhatsApp message to the sender is enough to remove any doubt. One important detail: don't reply to the email itself to check. If the account is compromised, your question goes straight to the attacker, who won't hesitate to reassure you. A genuine confirmation always comes through a different channel.

Remember this

Always confirm through another channel: call, text, or WhatsApp. Never reply to the suspicious email itself to check.

If in doubt, write to us

You don't have to decide on your own.

Write to us

That's precisely why we've set up a dedicated address for our clients. At the slightest doubt, forward us the suspicious message: we analyse it in a protected environment, away from your machine and your data, and tell you whether it's safe or not. In all cases, we are bound by professional confidentiality: whatever you share with us stays strictly confidential.

Better to check a harmless email for nothing than to make a single click too many.

If you've already entered your credentials

It happens, even to careful people, and it isn't a fault. What matters is reacting quickly. If you're one of our clients, contact us right away. The earlier the alert, the easier it is to regain control: change the password, check that no suspicious rule has been added, secure the account before the snowball effect kicks in. A few minutes can make all the difference.

In conclusion

The strength of these attacks doesn't lie in their sophistication, but in a very human reflex: trust. Slowing down for a few seconds before entering a password, and confirming through another channel at the slightest doubt, is enough to defeat most of them. Vigilance isn't a matter for specialists. It's a simple habit, and we're here to share it with you.