When Microsoft release information about a security software update or a security incident, Microsoft sends email messages only to subscribers of their security communications program.
Unfortunately, cybercriminals have exploited this program by sending fake security communications that appear to be from Microsoft. Some messages lure recipients to websites to download spyware or other malicious software. Others include a file attachment that contains a virus. Delete the message. Do not open the attachment.
Legitimate security communications from Microsoft
- Legitimate communications do not include software updates as attachments. Microsoft never attach software updates to their security communications. Rather, Microsoft refers customers to their website for complete information about the software update or security incident.
- Legitimate communications are also on the Microsoft websites. If Microsoft provide any information about a security update, you can also find that information on their websites.
Source: https://www.microsoft.com/en-us/safety/online-privacy/avoid-phone-scams
(you need to switch your country setting to US/English for following this link)