Getting email with single use code that I did not request

People often fail to realize that companies, like mine, sometimes use IDs for signing-in that differ from their public email address (both are email addresses). Making them different makes it a harder on hackers. Most companies make user IDs the public email address, but this just hands hackers 1 piece of a puzzle with which to try to gain access.

When hackers enter in a non-existent user ID into Microsoft email sign-in field, Microsoft sees it's an email addy, but it's not proper as a user sign-in ID. The hacker is asked to "sign in another way" with a PIN, face, fingerprint, password, or "send a code to {email address}." So, they click "send an email" and MS sends that "Your single-use code" to the email address the hacker entered as a user sign-in. So, in my users' cases, because the public email address the hacker tried as a user sign-in ID does exist, then my users sometimes get these single-use code emails.

Anyways, these "single-use code" emails are typically harmless. If the hacker doesn't have access to your inbox, he/she cannot get the code that's needed to complete a sign-in.

In any case, you should turn on multi-factor authentication if you have not aleady!!!

You can always check your security by clicking your avatar > MY MICROSOFT ACCOUNT > in left pane click SECURITY > VIEW MY SIGN-IN ACTIVITY. Don't freak out if you see a lot of failed attempts to sign in as you; there are a lot of bots out there on servers throughout the work that just hack away on known email addresses all day long by using with random passwords and/or by modifying old leaked password databases' passwords (so yeah, don't change your password from HappyDay1 to HappyDay2 or JoyfulDay3 because it's common strategy to just modify logically, especially incremental numbering, particularly years! And don't use family member names because that is super common usage and hackers comb your social media to see who's your family members). If your sign-in activity page is blank, like mine today, then congratulations! You might want to play the lottery today :-) Either that, or no one cares about you... hmm.. which is probably my case, LOL! Just kidding.

Have a great day!
john

Hi,

If you are getting a single use code that you did not request, it could mean that someone accidentally entered your email address, or someone may be trying to access your Microsoft account.

If you did not request the code yourself, do not share or use the code. The good thing is that receiving the code alone does not mean your account has been accessed.

To help secure your account, I suggest the following:

• Change your Microsoft account password immediately and make sure it is strong and unique.

• Review your recent sign in activity here to check for unfamiliar login attempts: https://account.microsoft.com/security

• If you notice unfamiliar sign in attempts from unknown locations or devices, choose the option that says “This wasn’t me” on the activity page to report the activity to Microsoft.

As an additional security measure, please see “How to help keep your Microsoft account secure.”: https://support.microsoft.com/account-billing/how-to-help-keep-your-microsoft-account-secure-628538c2-7006-33bb-5ef4-c917657362b9

Receiving a single-use Microsoft verification code that was not requested usually means one of the following:

1. Someone is trying to access the account and entered the email or phone number.
2. Someone accidentally typed the wrong email or phone when trying to sign in.
3. A code that was legitimately requested earlier was delayed and arrived late.

Do not use or reply to any verification code that was not requested. Without the code, an attacker cannot complete sign-in, so the account remains protected.

To improve security and reduce unwanted codes, enable a passwordless sign-in method (for example, Windows Hello, Microsoft Authenticator, SMS/Email codes, or a physical security key). Passwordless methods are more secure than passwords because they rely on something owned or physically present rather than a guessable or phishable password.

If the email containing the code is from @accountprotection.microsoft.com, it is a legitimate Microsoft notification. However, still ignore the code if it was not requested.

If unrequested codes continue frequently, review and harden account security (for example, updating security info and using passwordless sign-in) to ensure the account stays protected.

References:

• Troubleshoot Microsoft verification code issues
• Can I trust email from the Microsoft account team?
• Common problems with two-step verification for a work or school account