Someone Is Spamming Your Microsoft Account 2FA Codes
Why This Is Happening
I know exactly how alarming this feels. You're going about your day and your phone buzzes , again. Another SMS: "XXXXXX is your Microsoft account verification code." Then another. And another. Five a day, sometimes more. Some come over WhatsApp. Your stomach drops because you didn't request any of these.
Here's the honest truth: someone out there has your Microsoft account email address and they either know or have guessed your password. They are actively trying to log in. Every time you get one of those texts, it means their login attempt reached the 2FA step , which means your password alone isn't stopping them.
This is called a credential stuffing attack or a targeted brute-force attack. Credential stuffing happens when attackers buy or download massive lists of leaked email/password combinations from old data breaches, breaches from LinkedIn in 2012, Adobe, Dropbox, Yahoo, dozens of others, and they just automate trying every combination against Microsoft's login servers. If your password was ever reused on any breached site, your credentials are likely on one of those lists right now.
A targeted attack is less common but more unsettling: someone who actually knows you is specifically trying to get into your account. Either way, the 2FA codes arriving on your phone are actually evidence that the security system is working, those codes are being sent because someone got past the password step. That's bad. But they haven't gotten in yet. Not yet.
The reason Microsoft's own error messages and login page don't tell you any of this is that their interface is designed for the attacker's user experience too, showing a generic "check your phone" message regardless of whether it's you or a criminal attempting the login. There's no obvious alarm bell on your end. That's a real UX failure on Microsoft's part, and it leaves millions of users confused and scared every year.
What you're experiencing also has a name in the security community: MFA fatigue or MFA bombing. Attackers flood you with 2FA requests hoping you'll eventually tap "approve" out of frustration or confusion, especially if you're using push notifications instead of SMS codes. The SMS version of this attack is slightly different, they can't force you to approve anything, but they're hoping you'll eventually give up and set a weaker password, or that they'll catch you off guard.
The good news: you can lock this down completely. The steps below will close off their access, force them off any active sessions they may have sneaked into, and switch you to a far stronger form of 2FA that SMS-based attacks can't touch. Browse all Microsoft fix guides →
The Quick Fix, Try This First
Before anything else: change your Microsoft account password right now. I mean close this tab and go do it, then come back. This is the single most important step and it stops the bleeding immediately. Here's how to do it fast:
- Go to account.microsoft.com and sign in with your current credentials.
- Click your name/profile icon in the top-right corner, then select My Microsoft account.
- Navigate to Security in the top menu, then click Change my password.
- Enter your current password, then your new one. Make it at least 16 characters with a mix of uppercase, lowercase, numbers, and symbols. Use a passphrase, something like
Purple!Lighthouse42&Rainis far better thanP@ssw0rd1. - Check the box that says Make me change my password every 72 days only if your organization requires it, otherwise leave it unchecked. Microsoft's own research shows forced rotation makes passwords worse, not better.
Once you've changed the password, the attacker's current credential no longer works. Every login attempt they make from that point hits a wall at the password step, they never even reach the 2FA stage anymore, so the SMS spam should stop within hours, usually faster.
If the texts don't stop within 24 hours after a password change, it means either: (a) they've already indexed your new password somehow, which would mean your device is compromised, or (b) they have a different way into your account, like a linked app or an old recovery email they control. We'll address both of those in the steps below.
Changing your password stops future logins, but what about right now? An attacker who is already logged in stays logged in until you explicitly revoke their session. This step kicks every active session, including theirs, off your account.
Sign into account.microsoft.com, go to Security in the top navigation bar, then click Advanced security options. Scroll down until you see the section titled See activity or click Review activity. This opens your recent sign-in history.
Look carefully at every entry. You're looking for sign-ins from countries you've never been to, cities that don't match your location, unfamiliar device names, or logins at odd hours when you were asleep. Common attacker locations I've seen repeatedly in these cases: Russia, Ukraine, Nigeria, Brazil, Vietnam, and China, though sophisticated attackers route through VPNs and proxies to look like they're logging in from somewhere local to you.
Now go back to Advanced security options and find the button that says Sign out everywhere. Click it. This revokes every active authentication token across every device and browser, including yours. You'll need to sign back in on all your own devices, which is a minor inconvenience worth the security trade-off.
After signing out everywhere, sign back in using your new password. If you see the sign-in activity page update with your fresh login while older suspicious sessions have disappeared, it worked. You're the only one in.
Here's something most guides don't tell you: attackers who have been in your account before sometimes add their own phone number or recovery email to your security info. That way, even after you change your password, they can use "I forgot my password" to reset it using their phone number, locking you out of your own account while they walk right back in.
Go to account.microsoft.com → Security → Advanced security options. Under the section called Ways to prove who you are, you'll see a list of all security verification methods tied to your account. This typically includes phone numbers, email addresses, and authenticator apps.
Go through every single entry. Ask yourself: do I recognize this phone number? Do I own this email address? If anything looks unfamiliar, a phone number you don't own, an email address you don't recognize, click the Remove link next to it immediately.
While you're here, also check Trusted devices. If you see a device listed that you don't own, a PC name you don't recognize, a phone model that isn't yours, remove it. Trusted devices can bypass 2FA prompts entirely when the "don't ask again on this device" box was checked during a previous login.
After cleaning this up, make sure at least two legitimate recovery methods remain on the account, your real phone number plus your own backup email address. Microsoft requires at least one valid recovery method, and having two means you're never locked out if one becomes unavailable.
This is arguably the most important step in this entire guide. SMS-based 2FA is genuinely weak. Phone numbers can be hijacked through a technique called a SIM swap attack, where an attacker calls your mobile carrier, impersonates you, and convinces the carrier to transfer your number to a SIM card they control. At that point, all your 2FA codes go to them, not you.
The Microsoft Authenticator app generates time-based one-time passwords (TOTP) directly on your device using a cryptographic seed, there's no SMS involved, no phone number to hijack. An attacker who has your password still cannot get in without physical access to your unlocked phone.
Here's how to set it up:
- Download Microsoft Authenticator from the App Store (iOS) or Google Play (Android). Make sure it's the official Microsoft app, the icon is a padlock with the Microsoft logo.
- Sign into account.microsoft.com → Security → Advanced security options.
- Under Ways to prove who you are, click Add a new way to sign in or verify.
- Select Use an app. Follow the on-screen instructions to scan the QR code with the Authenticator app.
- Once the app is paired and showing a 6-digit rotating code, go back to your security settings and, only after the app is confirmed working, remove the SMS phone number as a 2FA method if you want maximum security. Keep it as a backup recovery method only.
After this, every login to your Microsoft account will require a time-sensitive code from the app on your physical phone. The spam texts will stop entirely once the attacker's stolen credentials stop triggering SMS delivery.
Right now you're finding out about intrusion attempts only because you get those annoying 2FA texts. There's a better, more proactive way to monitor your account: Microsoft's built-in security alerts will email or text you any time something unusual happens, a login from a new location, a password change attempt, a new device being added.
Go to account.microsoft.com → Security → Advanced security options. Scroll down to the section called Alert preferences. Make sure the toggle for Get email and text alerts when your account is accessed from an unfamiliar location or device is turned on.
Also, make sure your primary security email (the one that receives these alerts) is an address you actively monitor and that isn't the same address as your Microsoft account. Using your Microsoft account email to receive Microsoft account security alerts is circular, if someone locks you out of the account, they also block the alert system.
While you're in this section, look for Two-step verification and verify the toggle is set to On. It should already be on given that you're receiving 2FA codes, but double-check it explicitly. Some account configurations have this sitting in a half-enabled state that doesn't fully enforce verification on all sign-in paths.
Once alerts are active, you'll get notified within minutes of any suspicious sign-in attempt, even ones that don't trigger a 2FA code. Think of it as a motion-sensor alarm for your account. You should see a confirmation email arrive at your alert address within a few minutes of enabling this setting.
Your Microsoft account is probably connected to a lot of things: Outlook, OneDrive, Xbox, Microsoft 365, Teams, LinkedIn (Microsoft owns it), and potentially dozens of third-party apps that you've granted "sign in with Microsoft" access to. Each of those connected apps is a potential vector the attacker might try next, and some older apps use legacy authentication protocols that bypass modern 2FA entirely.
Go to account.microsoft.com → Privacy → Apps and services (or navigate directly to account.microsoft.com/privacy/app-access). You'll see a list of every app that has permission to access your Microsoft account data.
Look for anything you don't recognize. Revoke access for any app you no longer use or don't remember authorizing. Pay particular attention to apps listed with legacy authentication, these use older sign-in methods (like basic auth over Exchange ActiveSync) that completely ignore 2FA. If you see your email client listed with legacy access, update the app and reconfigure it to use modern authentication instead.
# To check which Exchange ActiveSync devices are connected (if you use Outlook/Exchange):
# In Outlook Web App: Settings → Mail → Sync email → Manage mobile devices
# Remove any device you don't recognizeAfter revoking unknown apps and updating legacy clients, use a password manager, 1Password, Bitwarden, or even Microsoft Edge's built-in password manager, to check whether your Microsoft account password has been reused anywhere else. If it has, change it on those sites too. A chain is only as strong as its weakest link, and one breached unrelated site can hand attackers your Microsoft credentials within hours of the breach going public.
Advanced Troubleshooting
If you've done all five steps above and the 2FA texts keep coming, or if you're managing this situation for a corporate Microsoft 365 account, there are deeper diagnostic and protective measures available to you.
Check Azure AD / Entra ID Sign-In Logs (Microsoft 365 Accounts)
If your account is tied to a Microsoft 365 Business or Enterprise tenant, your IT administrator has access to detailed sign-in logs through the Microsoft Entra admin center (formerly Azure Active Directory). These logs show not just successful logins but every failed attempt, the exact IP address, the ASN (internet service provider), the device fingerprint, and the specific error code generated.
Navigate to entra.microsoft.com → Monitoring & health → Sign-in logs. Filter by your user account and look for entries with status Failure and the error code 50126 (invalid username or password, meaning they failed at the password stage) or 50074 (strong authentication required, meaning they got past the password). A flood of 50074 errors is direct evidence of the credential stuffing attack described earlier.
Conditional Access Policies
If you're on Microsoft 365 Business Premium or E3/E5, your admin can create a Conditional Access policy that blocks sign-ins from specific countries entirely, requires compliant devices, or enforces sign-in frequency limits. Go to entra.microsoft.com → Protection → Conditional Access → Policies → New policy. A policy blocking all sign-ins from countries your organization never operates in will stop the vast majority of automated attacks at zero cost to your users.
Microsoft Defender for Identity Alerts
On enterprise tenants, Microsoft Defender for Identity (MDI) can detect and alert on password spray patterns, where one attacker tries many accounts with the same common password, or brute force patterns against a single account. Check the Microsoft 365 Defender portal at security.microsoft.com for any active incidents or alerts tagged with identity-based attack categories like Suspected brute force attack (Kerberos, NTLM).
Registry & Group Policy for Personal Windows Machines
If your Microsoft account is linked to a Windows 11 or Windows 10 PC login, there's a Group Policy setting that controls how often Windows caches credentials locally, and whether a locked Microsoft account still allows local sign-in. Run gpedit.msc (Local Group Policy Editor) and navigate to:
Computer Configuration → Windows Settings → Security Settings
→ Account Policies → Account Lockout Policy
Set:
Account lockout threshold: 5 invalid attempts
Account lockout duration: 30 minutes
Reset account lockout counter after: 15 minutesThis doesn't affect Microsoft's cloud-side lockout policies (which are already set by Microsoft) but it does protect the local Windows login component of a Microsoft account from brute-force attempts directly on the machine.
Prevention & Best Practices
Once you've survived this incident, the goal is to make sure it never reaches this level of alarm again. The good news: a few structural changes to how you manage your Microsoft account put you so far ahead of 99% of attack targets that automated attackers simply move on to easier victims.
The single most impactful change you can make, beyond what's already covered above, is enabling Microsoft's Passwordless sign-in. Instead of using a password at all (which can be stolen, phished, or brute-forced), you authenticate using the Authenticator app's biometric or PIN prompt. There is no password in the equation, so there is nothing to steal. Go to account.microsoft.com → Security → Advanced security options and look for Passwordless account, toggle it on once you have the Authenticator app set up.
Second, get serious about email hygiene. A significant percentage of Microsoft account takeover attempts start not with password guessing but with phishing, a fake "Microsoft security alert" email that harvests your credentials. Train yourself to always check the actual sender domain (real Microsoft emails come from @microsoft.com or @accountprotection.microsoft.com, nothing else), and never click login links in emails. Always navigate to account.microsoft.com directly in your browser.
Third, use a dedicated email address for your Microsoft account that you never publicly share or use to sign up for other services. This way, even if a random e-commerce site leaks its user database, your Microsoft account email address isn't in it.
- Enable passwordless sign-in on your Microsoft account, eliminates the entire password attack surface
- Set a unique, randomly generated password (20+ characters from a password manager) so no other site breach exposes your Microsoft credentials
- Review connected apps and revoke legacy authentication clients every 90 days, calendar it
- Keep your Microsoft Authenticator app backed up using the app's built-in cloud backup feature so a lost or broken phone doesn't lock you out
Frequently Asked Questions
Does receiving these 2FA texts mean someone is already inside my account?
Not necessarily, but it means they've already gotten past your password. Getting a 2FA code SMS means an attacker successfully entered your correct email address and password on Microsoft's login page, and Microsoft sent the code as the second authentication step. If they haven't received or guessed that code, they're not in. However, you should treat this as a serious warning and change your password immediately. The fact that your password is already in someone else's hands is the real problem here, the 2FA is just the last line of defense that's currently holding.
Why am I getting these codes on WhatsApp and not just SMS?
Microsoft and many other services have started routing OTP (one-time password) codes through WhatsApp Business as a fallback or primary delivery channel, particularly for phone numbers in regions where SMS delivery is unreliable or expensive. If your phone number is linked to a WhatsApp account, Microsoft's messaging partner may route the code over WhatsApp instead of SMS. The security implications are identical, both channels deliver the same 6-digit code. The key action remains the same: change your password so the attacker never triggers the 2FA step again in the first place.
Can I block Microsoft from sending me these 2FA texts?
You can't block the texts outright without removing your phone number from your security info entirely, and that would leave you with fewer recovery options. The better approach is to eliminate the root cause: once you change your password to something the attacker doesn't know, they can't trigger the 2FA step anymore, and the texts stop naturally. If you switch to the Microsoft Authenticator app as your primary 2FA method and remove SMS as an active verification option (keeping it only as a backup recovery method), the attacker's attempts will fail at the password stage without generating any codes at all.
Should I reply "STOP" to these SMS messages or ignore them?
Ignore them completely, do not reply to them in any way. These SMS messages come from Microsoft's automated system (short codes like 737-6 or similar), not from the attacker. Replying "STOP" would unsubscribe you from Microsoft's legitimate security SMS notifications, which you actually want to keep receiving. The attacker never sees your reply either way. Just delete the messages, change your password and 2FA method using the steps in this guide, and the texts will stop on their own.
What if someone I know is doing this, can Microsoft find out who it is?
Microsoft does log the IP addresses of all sign-in attempts, but they won't share that information directly with you as a regular account holder, it goes to law enforcement only through a formal legal process. What you can do: document everything. Screenshot the SMS/WhatsApp messages with timestamps. Use account.microsoft.com to check your sign-in activity and note the geographic locations of failed attempts. If you believe this is a targeted harassment campaign by someone you know, file a report with your local police cybercrime unit first, then contact Microsoft's Trust & Safety team through their official abuse reporting channel with your case reference number.
I changed my password and the texts still haven't stopped after 48 hours, what's wrong?
A few possibilities. First, check whether the attacker added their own recovery phone number to your account, if they did, they may be triggering 2FA on a password-reset flow rather than a normal login flow, which uses a different path. Go to your security info and remove any unrecognized phone numbers immediately. Second, if you're still using the same password elsewhere and that other site is also being probed, attackers sometimes update their credential lists quickly. Third, and most concerning, if you changed your password on a device that has malware, a keylogger may have captured your new password already. Run Microsoft Defender Offline Scan (Windows Security → Virus & threat protection → Scan options → Microsoft Defender Offline scan) to rule out local compromise.