Share via

Single-use code sent to personal gmail account that was not requested

Phil DeCora 0 Reputation points
2026-05-11T18:31:32.2366667+00:00

Received a single-use code to a gmail personal account that I did not request. I could not reply back to the email of accountprotection.microsoft.com. I am concerned that I have been hacked.

Windows for home | Windows 11 | Desktop, Start, and personalization | Desktop
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-05-11T18:31:44.4066667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    A single-use Microsoft verification code that was not requested does not by itself mean the account is hacked, but it does mean someone or something tried to sign in using that email address.

    Key points from Microsoft guidance:

    1. Why the unrequested code was sent An unrequested verification code or sign-in prompt can happen when:
      • Someone is trying to access the account.
      • Someone accidentally entered the wrong phone/email when trying to sign in.
      • Delivery of a code or prompt that was requested earlier was delayed.
      This applies both to email codes and to prompts such as “Are you trying to sign in?” on Outlook mobile or other Microsoft sign-in flows.
    2. What to do with a code that was not requested
      • Do not use or enter the code anywhere.
      • Do not respond to any verification request that was not initiated.
      • If a prompt appears (for example in an app), always choose Deny for any sign-in request not initiated. Microsoft states that if someone is trying to access the account, without the correct code or approval, the account remains safe.
    3. How to verify the email is legitimate
      • Legitimate Microsoft account security emails are sent from the domain @accountprotection.microsoft.com.
      • For unusual sign-in alerts, a valid sender address is ******@accountprotection.microsoft.com.
      • If the domain matches @accountprotection.microsoft.com, the message itself is from Microsoft, even if the sign-in attempt was not.
    4. Recommended next steps to protect the account
      • Sign in to the Microsoft account directly (by typing the address into the browser, not via the email link) and review recent sign-in activity using the official security pages referenced in the articles.
      • If any sign-in looks unfamiliar, follow the guidance in the “unusual sign-in” and “hacked or compromised account” articles (change password, review security info, etc.).
      • Ensure security info (recovery email, phone, and two-step verification) is up to date so alerts and codes continue to go to the correct contact methods.

    As long as the code is not entered and unrequested prompts are denied, the account is protected from that specific attempt.

    References:

    Was this answer helpful?

    2 people found this answer helpful.
  2. John Jefferson Doyon 69,480 Reputation points Independent Advisor
    2026-05-11T19:07:09.47+00:00

    Hi, I'm John! I will help you with this.

    If you did not request the code, do not use it and do not click any links in the email.

    The one you shared does look genuine, especially since it’s coming from @accountprotection.microsoft.com, which is an official Microsoft domain. However, the most important part is confirming whether you actually made this change or not.

    Reference: "Can I trust email from the Microsoft account team?" https://support.microsoft.com/account-billing/can-i-trust-email-from-the-microsoft-account-team-685fd302-f52f-1a9f-cc13-065dec46fe25

    To help narrow down the issue:

    Did you recently add a passkey or make any security changes to your Microsoft account?

    1. If yes, then you can safely ignore the email.
    2. If no, don’t click any links in the email just to be safe. Instead:

    To be safe, I recommend:

    • Don’t click on any links or download anything from that email.
    • Go directly to the Microsoft Account Activity page https://account.live.com/Activity and check your recent sign-in activity. If there’s nothing unusual there, then the message most likely isn’t from Microsoft.
    • If you didn’t request any changes and the email is not officially from Microsoft, it’s a good idea to ignore or report the email as phishing.

    I really hope this information is helpful.

    Let me know if you have any further questions or concerns.

    Click "Add comment" to let me know.

    Regards,

    John J.D.

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.