News of Microsoft’s new cyber slip-up, another sophisticated phishing scam, means it’s a good time to remind your employees to be extra-cautious when it comes to opening emails they weren’t expecting, potentially letting hackers in.

Microsoft’s security procedures are under the microscope again for another potentially serious lapse. A security researcher announced a gap in the tech giant’s safeguards that allows bad actors to easily exploit a bug and impersonate official Microsoft corporate email accounts. The bug is particularly worrisome, because a very official-looking email from a plausible Microsoft company account could tempt innocent web users to click on its content, which may allow further hacking attempts to happen.

This sort of hack is called phishing–the technique is thought to be the method used to insert malicious code into health provider Ascension’s systems, eventually disrupting services from treatment to billing in around 140 hospitals nationally.

To prove that the newly found Microsoft bug is real and easy to exploit, Vsevolod Kokorin, the security researcher who discovered it, used the technique and sent an email to tech news site TechCrunch that looked exactly like one from an official Microsoft account. Kokorin told the site he’d alerted Microsoft to the bug but it initially dismissed his warning because its engineers couldn’t reproduce it. Though the bug only works when communicating through Outlook email accounts, that means it could impact some 400 million Outlook users worldwide, TechCrunch points out. While it’s not known if other hackers have discovered the bug themselves and exploited it for malicious purposes, Kokorin says he’s withholding details on how it works to keep people safe.

The potential hacking loophole is merely the latest security issue to hit Microsoft. The company’s weak digital safety systems were publicly shamed recently when the federal Cyber Safety Review Board called out the company’s response to a Chinese hack last year that saw some the widespread leak of 60,000 State Department emails. The Biden administration-appointed board said Microsoft was responsible for a “cascade of errors” that let in Chinese state-supported cyberattackers. In January the company also admitted that state-backed Russian hackers gained access to a number of its senior leadership’s emails, although it insisted that “the attack was not the result of a vulnerability in Microsoft products or services.”

Meanwhile the tech giant’s flagship AI-powered Recall system for its upcoming “AI PC,” a key component of Microsoft’s push to revolutionize computing habits, was dubbed a potential security nightmare almost as soon as it was announced. Then researchers found it really was very easily hackable, forcing Microsoft to first tweak and then, embarrassingly, actually cancel the wider rollout of the tool. Phishing attacks have long been one of the more effective ways that hackers get inside a targeted computer system and wreak havoc–it’s why you should remind your staff to never click on an email that they can’t verify, and never to open suspicious links or files contained in digital communications.