By displaying this CAPTCHA verification users again believe that the link they have clicked on is real with Microsoft saying this trick adds a sense of legitimacy to the scam.
Next, a fake 365 log page appears with users asked to enter their details.
If the user enters their password, the page refreshes and displays an error message stating that the page timed out or the password was incorrect and that they must enter their password again. This is likely done to get the user to enter their password twice, allowing attackers to ensure they obtain the correct password.
Once the user enters their password a second time, the page directs to a legitimate website that claims an email message has been released. This adds another layer of false legitimacy to the phishing campaign.