![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 14.000000000000002%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEL%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation
Follow these steps in order, since the account is already compromised and 2FA setup is failing:
- Scan all devices for malware before doing anything else
Use an up-to-date antivirus and run a full scan on every device used to access this account (PC, phone, tablet). If using Windows 8.1 or Windows 10/11, turn on and run Windows Defender as described in the guidance for recovering a hacked account. Do this before changing passwords again. - Change the Microsoft account password again (from a clean device)
After scans complete, go to the Microsoft account page and change the password from a device that is clean. Use a strong, unique password as recommended in the hacked-account recovery steps. If sign-in fails, use the reset your password flow instead. - Check for signs the attacker is still in the account
Once signed in:- Review connected accounts, forwarding, and automatic replies to remove anything unfamiliar (attackers often add forwarding or rules to keep control).
- If Outlook Web is accessible, check Settings → Mail → Rules and Forwarding for any suspicious rules and delete them.
- Try to set up MFA using available methods
Since SMS OTP is failing with “method not available,” use whatever method the account security page offers:- If prompted with Help us protect your account, select Next.
- Install the Microsoft Authenticator app from the official store or from the Authenticator app page.
- Follow the steps: choose phone/text first if it works, then scan the QR code with Authenticator and approve the notification as described in the Microsoft 365 MFA setup article.
- If 2FA prompts or passwords keep failing, use the official recovery and support paths
If the system keeps saying the password is wrong or blocks 2FA setup even though already signed in, treat it as a still-compromised or unstable state:- Use the Sign-in Helper or account recovery flows referenced in the hacked-account article to verify identity and regain stable access.
- If the account appears hacked or locked, follow the full guidance in How to recover a hacked or compromised Microsoft account, including checking/resetting security info.
- After regaining stable access and MFA
- Confirm all security info (phone, alternate email, Authenticator) belongs to the account owner only. Remove anything unfamiliar.
- Keep MFA enabled and monitor sign-in activity for unusual prompts. Deny any sign-in prompts that were not initiated.
If at any point sign-in or 2FA setup cannot be completed, continue with the hacked-account recovery steps and use the support/contact options they provide, as manual support cannot bypass the automated security checks but can help when the automated flows error.
References:
- How to recover a hacked or compromised Microsoft account
- Set up multi-factor authentication for Microsoft 365
- Using Outlook mobile to sign in
- Can't sign in to the Outlook mobile app
- Unblock my Outlook.com account
- My account got hacked.
- My personal hotmail account hacked by hacker with authentication app enabled. - Microsoft Q&A
- Hacker set up continuous draft ransomware email - Microsoft Q&A
- Lock or block login attempts - Microsoft Q&A