How to cancel an unauthorized ‘security info replacement’?

Question

How to cancel an unauthorized ‘security info replacement’?

Anonymous

I have received two messages from Microsoft saying security info is pending replacement (see figure1 and figure 2).

----------- (received 6/13/2024 3:05 AM)

Security info replacement

Your security info for [my email address]***** is pending replacement with [hacker’s email address] on 6/29/2024 1:04 AM (GMT).

If this was you, click the button below to bypass the waiting period by using your existing security info.

If this wasn't you, someone else might be trying to take over [my email address]*****. Click here and we'll help you protect this account.

Previously I received a similar email from Microsoft

---------- (received 5/30/2024 3:04am)

Security info replacement

Someone started a process to replace all of the security info for the Microsoft account [my email address]***** with the following info: [same hacker’s email address]

If this was you, click the button below to bypass the waiting period by using your existing security info.

If this wasn't you, someone else might be trying to take over [my email address]*****. Click here and we'll help you protect this account.

The hacker’s email address is the same in both emails. The Microsoft link [Click Here] does take me to my security page of my account. But there is no option to cancel a ‘security info replacement’ request, as implied by the two emails.

How can I cancel a ‘security info replacement’ that wasn’t initiated by me?

It’s apparent that the hacker is trying to challenge the ownership of my account by initiating some type of ‘security info replacement’ request to replace my email with his/her email address or replace other security info. And it’s apparent that Microsoft is reminding me of the hacker’s request and given me a deadline of 6/29/2024.

Neither Microsoft email presents me with an option to CANCEL the pending security replacement request initiated by the hacker.

Yes, I have changed my password each time to a complex password. Yes, I use two factor authentication with an authenticator app. I have verified my device is legitimate and the only device recognized with my account. I have used the feature “Sign out everywhere”. I have generated recover codes, have a valid phone number, and valid email on the account.

While changing password and two factor authentication are good, they are NOT a method to cancel a pending security info replacement request. How can I cancel a ‘security info replacement’ that wasn’t initiated by me?

When I go to account.microsoft.com/security/ there is no notice of a pending “process to replace all of the security info” (see Figure 3) nor is there a button to cancel any such request. When I click [Manage How I sign in] I don’t see any option for canceling the pending “process to replace all of the security info”.

When I click from the Security page [View my sign-in activity] then [View more account activity] I see several unsuccessful sign-in attempts from Ukraine, Russia, Panama, and Brazil (See figure 4). I have checked the successful sign-ins and they are all from me and legitimate. I can’t find any record of a request to change security information to the hacker’s email or a way to cancel the request.

How can I cancel a ‘security info replacement’ that wasn’t initiated by me?

Feature request of Microsoft:

Change the email notification to make it easy to cancel such false requests.

Change the security web page to make it easy to cancel such false requests.

PS. MS Edge and Mozilla on Windows 11 give me a "File(s) failed to upload" when I attempt to "insert image". I had to use Chrome browser to successful insert images into this pots.

***moved from Microsoft 365 and Office / Subscription, account, billing / For home / Windows ***

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

Answer accepted by question author

5 additional answers

Answer 1

Dear TwicedConcernedUser

Thank you for your reply! I may not have fully explained myself in my first reply and I need to apologise for that.

Regarding my first suggestion

If your Microsoft account is in the process of changing security information, when you log in normally, you will see the screen in the link I provided above, where Microsoft will remind you each time you log in that your account is changing security information, and where you can cancel the step to change security information at any time.

Regarding my second suggestion

I checked that the sender who sent you the change security message was indeed from Microsoft. This means that someone is indeed trying to change your account security information. I myself have tried to change the security information on my account, here is a screenshot of the email I received.

The reason I offered you the option to disable login access to your username is because I thought there was a real risk that your account security information could be changed, and this option would make it impossible for someone to log in to your account even if your account security information was changed by an intruder. I understand that you have already spoken to a more professional at Microsoft and confirmed the status of your account. I am very pleased with your security awareness and I commend you for it.

Carmid.L-MSFT | Microsoft Community Support Specialist

Answer 2

Follow-up note. I chatted with a Microsoft Ambassador through MS chat support. She said she checked my account using her "tools" and does not see a request for a change of security info related to my account. She says my account is safe and that the email must have been a scam. I will accept her conclusion. Although I don't see how the email could be a scam when the email is from the Microsoft account team <******@accountprotection.microsoft.com> and looking at the email header I only see microsoft.com references. AND, every link in the email body points to valid Microsoft domains, e.g. https://account.live.com/Proofs/Manage?... And there is no javascript in the email or attachment.

So how can a scammer benefit from the two emails?

The sentence in the email "If you don't recognize the Microsoft account *****, you can click here to remove your email address from that account." points to

https://account.live.com/dp?ft=..... Could that link be used maliciously?

This is strange and one very complicated scam if it is.

Thank you Carmid.L for taking the time to reply to my message. I may still replace my email address with another just in case and wait till after June 29 to see what happens. Cheers.

Bottom line: If you receive an email like the two I received, and you can still log into your Microsoft account, then contact Microsoft support through the support chat option (https://support.microsoft.com/en-us/contactus) and ask the Microsoft Ambassador to verify your account is safe and does not have a pending security info change request attached to the account.

Answer 3

The second action you (Carmid.L) recommended was to “remove the login privileges from my current account” (i.e., remove my current email address used for login and replace with another mail address under my control)

You state, “So even if the worst happens, the hacker will be prevented from accessing your account because he can't enter the correct username.”

This suggestion does not give me confidence. Microsoft has already twice informed me that on 6/29/2024 the hacker’s email address afqc…@...org will be added to my account and replace any of my security information (See figures in the original post above). So the hacker will be able to use afqc…@...org to log in and control my account and I will be denied access. This is the logical conclusion of the two emails sent by Microsoft. Taking Mircosoft’s emails a face value, there is some process already in the Microsoft’s system that will add afqc…@...org to my account on 6/29/2024 and remove all my access (email and other access methods). Is that not a logical conclusion of what Microsoft is telling me via email?

Please, I want a way to cancel the request and guarantee to prevent afqc…@...org from being added to my account.

Answer 4

Thank you for your help. You recommended two actions. I will report on the first recommendation which did not help.

You recommended “on another trusted device using Privacy Mode, and during the log in process, you will see that your account [Security Information Changes Suspended]”

First, I don’t understand the sentence “ you will see that your account [Security Information Changes Suspended]” as that sentence is not complete. I assume you mean that during the login process, I will see some type of message saying “security information changes suspended” or a message giving me the option to cancel the request for changes to security information. Or, I don’t understand.

Second, after following your instructions (i.e., use another trusted device, use Privacy mode or Incognito mode in Chrome, navigate to account.microsoft.com, and log in with my account credentials, answer 2FA challenge), I did not receive any message saying “Security Information Changes Suspended”, nor did the webpage giving me an option to cancel a security information change, nor did the “Your security info change is still pending” appear.

My account login process proceeded as normal and I was taken to my accounts webpage. When I clicked on the Security button (left menu bar), I did not see any message about a pending security information change. From the security webpage, I see my ways to prove who I am (See figure 1). My email address is correct, only my email address is listed as approved way to log in, my phone number is correct under "Text a Code", and the authenticator app is setup and working on my phone.

The article you referred to me did not help. During login, I never received a message saying “Your security info change is still pending”. Furthermore, the article states “If you tried to sign in with your Microsoft account and you received a message that said:" Your security info change is still pending" or "You can't access this site right now" It's because all the security info (such as alternate contact methods) that you previously added to your account was removed and replaced with new info” . That scenario does not describe my scenario. I am able to log into my account normally and I do see all my security information. The article does not apply nor did login in provide me a way to cancel any security info replacement.

Referring back to the Microsoft email messages I received,

“Your security info for **** is pending replacement with afqc…@...org on 6/29/2024. “

Should I be able to see this request somewhere? Should I be able to see afqc…@...org somewhere in my security screen and remove the email address? I do not see the hacker's email address in my account anywhere and I do not see a way to cancel any pending “security info replacement reminder.” Regards.

Answer 5

Dear TwicedConcernedUser

Thank you for posting to Microsoft Community

Based on your description, I understand that your account is being hacked and that the hackers are trying to change your account security information, so please point out if I am misunderstanding you.

I do understand your concern about your account security and I am glad to see that you have received a warning from the Microsoft team to change your security information. And that you are keenly aware of the anomalies in your account.

In order to further improve the security of your account, I recommend that you log in to your Microsoft account on another trusted device using Privacy Mode, and during the log in process, you will see that your account [Security Information Changes Suspended] You can refer to the following link in this screen to cancel the hacker's attempts to change the security information of your account.

What does “Security info change is still pending” mean? - Microsoft Support

In addition, you can temporarily protect your account by removing the login privileges from your current account. The user name of the removed user will not be able to log in to your account but will show that the account does not exist. So even if the worst happens, the hacker will be prevented from accessing your account because he can't enter the correct username.

Here are the steps:

You need to log into your Microsoft account and click [Your Information] on the left, then [Edit Account Information] on the right side of the screen that opens. On this screen, you can add an alias as a new login name for your account. Due to the current security risks associated with your account, I recommend that you create an alias with the outlook.com extension that does not require authentication. (If you use the custom alias below, you will be prompted to verify that this alias exists. Only actual mailboxes can be added as aliases.

Then, you need to click [Set as primary alias] to the right of the new alias to make it the primary alias. After that, click [Change Login Privileges] at the bottom and remove the tick mark in front of the current account name. You have successfully removed the login privileges of the account name. You can test this by typing your account name into the login screen and Microsoft will alert you that the username does not exist, which will prevent you from logging in, the same as someone trying to hack into your account.

Please note that in this case you will not be able to log in using this account name. Please remember the account name you changed. In addition, we have tested that you can still send and receive emails using this account name and that the sender can use your account name as the recipient of the email and that email functionality is not affected.

I wish you all the best

Carmid.L-MSFT | Microsoft Community Support Specialist

Share via

How to cancel an unauthorized ‘security info replacement’?

5 additional answers