Most threats are from emails that ask for credentials based on a compelling event.  For example “Your email account needs to be revalidated today to maintain access”.  The sender will mimic Microsoft with their logo and what may look like a legitimate email.

How do you tell if the email is legitimate?

1.  Microsoft does not normally send out emails that have a compelling event that expires almost immediately.
2. Take a good look at the sending address.  It may say Microsoft in the display name, but the sender address may be Google or an offshoot of Microsoft with a the spelling off by a letter or two etc.
3. If possible, ask the sender or your technical administrator they sent the email or if it is from a legitimate sender.

Here is an example of an email sent to one of our customers within the last month.  It is a spoofed Microsoft message that has a Gmail origin

It is also possible that your end user has been compromised and sending an email asking if they just sent this is being answered by a hacker.   When in doubt, WAIT Do Not Click until your IT Administrator or you have had a real time conversation with the sender when possible.