Why are multiple users receiving unrequested OTPs via text even if their default MFA is Authenticator app?

Question

Why are multiple users receiving unrequested OTPs via text even if their default MFA is Authenticator app?

Besfort Zymberi 185

Several users reporting having received OTP text messages from Microsoft that they did not request. No suspicious logins observed. Issue with Microsofts service?

Mulanax, Sean 0 Reputation points

2025-06-11T18:36:03.3433333+00:00

We also are seeing this message even if the end user does not have SMS as an MFA option.
Dan O 0 Reputation points

2025-06-11T18:37:26.87+00:00

We have had user reports of this today as well.
Nick Vazquez 0 Reputation points

2025-06-11T18:59:57.0433333+00:00

Same here, this is ridiculous
Keith Andreassen 0 Reputation points

2025-06-11T19:10:58.34+00:00

Same here.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Jeffrey Insalaco 0 Reputation points

2025-06-11T20:55:40.7966667+00:00

We have the same problem, but i noticed that the verbiage is different in the text message from the non requested message than a requested message. I suspect that the report junk hyperlink at the bottom of the non requested message is going to get you to give up your credendials. I did not click on it to find out.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

3 answers

Your answer

Mulanax, Sean 0 Reputation points

2025-06-11T18:36:03.3433333+00:00

We also are seeing this message even if the end user does not have SMS as an MFA option.
Dan O 0 Reputation points

2025-06-11T18:37:26.87+00:00

We have had user reports of this today as well.
Nick Vazquez 0 Reputation points

2025-06-11T18:59:57.0433333+00:00

Same here, this is ridiculous
Keith Andreassen 0 Reputation points

2025-06-11T19:10:58.34+00:00

Same here.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Jeffrey Insalaco 0 Reputation points

2025-06-11T20:55:40.7966667+00:00

We have the same problem, but i noticed that the verbiage is different in the text message from the non requested message than a requested message. I suspect that the report junk hyperlink at the bottom of the non requested message is going to get you to give up your credendials. I did not click on it to find out.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Answer 1

Logan 30

In Entra, select "Security" > "Authentication Methods" > "Policies" > "SMS" and make sure 'Use for Sign in' is not enabled.

If enabled, this setting means that people can log in with a cell phone number + SMS code instead of an email and password. These are likely the the reason you're receiving the verification messages, especially if you're not seeing sign in logs associated with the codes. There appears to be some sort of bad actor campaign targeting this login method, for what purpose, remains to be seen.

The reason you're not seeing a sign-in log is because the account is only being authenticated with a username (the cell phone number in this case.) No password (the text code) is being entered.

Anthony Bowers_Admin 5 Reputation points

2025-06-11T19:50:43.6566667+00:00

That's a great answer on how to disable the SMS option. Why are people all over the world reporting unsolicited MFA SMS codes being sent to their phones and zero sign-in attempts reported via Azure?
Logan 30 Reputation points

2025-06-11T19:52:27.3+00:00

There's likely some sort of campaign going on where a bad actor is trying to target this login method, hence everyone getting codes right now.
Jonathan Lynn 0 Reputation points

2025-06-11T19:58:14.4+00:00

Do you not mean make sure 'Use for Sign in' is not checked on.? I assume when it's ticked off SMS can only be used for MFA when registration is allowed?
Jonathan Lynn 0 Reputation points

2025-06-11T20:00:51.0166667+00:00

And I'm realising now tick/check box is a bit ambiguous but for absolute clarity.. "Use for log in": Box Checked = enabled, Box not checked = Disabled
Logan 30 Reputation points

2025-06-11T20:01:39.4733333+00:00

I've edited my answer to remove the ambiguity. The setting should not be enabled.
Jonathan Lynn 0 Reputation points

2025-06-11T20:02:29.02+00:00

Thank you very much, I was going a little crazy for a minute there.
Anthony Bowers_Admin 5 Reputation points

2025-06-11T20:54:05.01+00:00

Azure is not reporting failed login. I am looking at a user that got 2 texts. I don't see any login attempts during that time. Again, dozens of IT administrators and normal users are reporting unsolicited SMS text from Microsoft with MFA codes. It isn't a matter of disabling the option, it is a question of what is going on, why are we not hearing anything, and why are we not seeing anything.

If there is an ongoing campaign, we need to know about it. We are not seeing signs of an ongoing campaign. We are not seeing login attempts outside of controlled environments. If it is a test or a mistake, Microsoft needs to let their customers know so we are not scrambling, looking for something that isn't there.Here is a Reddit post about this issue.
https://www.reddit.com/r/sysadmin/comments/1l8s6qx/unsolicited_microsoft_mfa_messages/
Logan 30 Reputation points

2025-06-11T21:02:31.5866667+00:00

No login events are generated unless the user successfully logins in with the phone number + text message that they receive. There is likely a bad actor going through a list of phone numbers to see which are active and associated with what accounts, for what reason remains to be determined. The steps I provided above are to turn that login method off which will disable users from logging in with a phone number + SMS code, which in turn, will stop users from receiving the unsolicited messages.

Azure isn't reporting a failed login because there is no completed login, the 'bad actor' has essentially only entered the username (cell phone number in this case.)
Logan 30 Reputation points

2025-06-11T21:03:21.1366667+00:00

You can validate this yourself by attempting to log into Azure using a cell phone number that received one of the messages as the username.
Anthony Bowers_Admin 5 Reputation points

2025-06-11T21:14:10.7933333+00:00

Thank you for explaining that further. I had no clue that was even an option that was enabled. Is that option ON by default? That was exactly what was going on.

That was on with conditional access on, too. Holy cow.
Dan O 0 Reputation points

2025-06-11T22:39:37.69+00:00

still there are no logs stating that a user attempted a login and an mfa code was sent? Istn' the definition of a failed login that they failed to login? are there any other secret login methods that Microsoft enabled by default that we should be aware of?
Logan 30 Reputation points

2025-06-11T23:04:29.85+00:00

Dan, try logging into Azure/O365 in an incognito Window using the cell phone number you received the MFA code for the username at and I think it will make more sense.

As mentioned, the setting above allows a user to log into their Entra account using their cell phone number + the code that they receive. I believe this setting is enabled in the tenant by default, but you can turn it off.

It's not that someone is getting through the username / password and then the code is being generated. With the setting mentioned enabled, it allows users to log in with phone number + SMS code INSTEAD of Username + password.
Logan 30 Reputation points

2025-06-11T23:10:30.5966667+00:00

The reason you're not seeing a sign-in log is because the account is only being authenticated with a username (the cell phone number in this case.) No password (the text code) is being entered.
Glen D 0 Reputation points

2025-06-12T01:48:40.1466667+00:00

I’ve tested a few phone numbers that received these and both return messages that the phone number cannot found to login.

Answer 2

Eric Nguyen 1,025 Independent Advisor

Hi @Besfort Zymberi ,

Thank you for contacting Q&A Forum. I would like to provide my findings and proposed solution:

We understand your concern regarding unexpected OTP messages via SMS. Here’s what to check:

Disable SMS authentication – In the Microsoft Entra admin center, go to Security → Authentication methods → Policies, locate Text message (SMS), and set Enable to No.

Confirm account type – Are you using an individual Microsoft account (MSA) or a Work/School account (Microsoft Entra ID)? If it’s an MSA, sign-in logs won’t be visible in Entra, and unauthorized access could be the cause.

Check recent sign-ins – If you suspect unusual activity, update your password and review security settings https://account.microsoft.com/security.

Please note: We do not support personal accounts in the Work & School tenant. If you need further help securing an individual account, please contact Microsoft Support.

Kindly let me know if this work for you and please let me know if you have any further questions.

If I have answered your question, please accept this as answer as a token of appreciation and don't forget to give a thumbs up for "Was it helpful"!

Best regards,
Eric

Besfort Zymberi 185 Reputation points

2025-06-12T18:06:28.4966667+00:00

Thank you for providing that usable solution.

RE:Disable SMS authentication it's very clear by everyones response that this should NOT be a manual action to be taken by every individual organization, and in fact many people were not even aware this was on by default. Microsoft should not have set this on by default, and by doing so, Microsoft is enabling bad actors to easily perform reconnaissance and identify and validate user accounts with only a phone number. Combine that with SIM hijacking and now it's possible to takeover accounts?

Microsoft should urgently change this default-on setting.
Glen D 0 Reputation points

2025-06-12T18:12:34.1666667+00:00

Every account we have that could have had this option set is turned off so this is not the solution to the vast problem. Searching online I am seeing the exact same thing.

Answer 3

Hello Besfort Zymberi,

As described, several users have reported receiving unexpected SMS codes for multi-factor authentication (MFA) without initiating any sign-in attempts. Notably, there are no corresponding sign-in logs related to these MFA prompts. The messages appear to originate from legitimate Microsoft SMS numbers, and some affected users do not have SMS configured as an MFA method.

On June 11, 2025, Microsoft detected an anomalous actor attempting account enumeration using phone numbers. If these phone numbers were registered with SMS as a single-factor authentication method on an Entra account, the Entra user received an unexpected SMS containing the authentication code to log in.

Our engineering team is investigated this activity and mitigated the issue by addressing all of the aspects.

Share via

Why are multiple users receiving unrequested OTPs via text even if their default MFA is Authenticator app?

3 answers

Your answer