Unusual Activity, Random Microsoft Authentication Requests

Question

In my Account Security "Recent Activity" page, I'm showing around 24 or more "Unsuccessful sign-in" attempts from random IPs/Countries every day. I have a very robust password, and also have 2FA setup on my account.

A couple questions:

#1: In several places in the Help documentation, it says that I can view "recent activity" and there is an option to report suspicious activity. I don't see any such option on my recent activity page, but only get a "Secure your account" link.

#2: Even more concerning is that my successful login attempts do not show at all in my recent activity. For example, I just logged into my account on my iPhone Mail App (via 2FA), but this login attempt does not display in "recent activity." Nor does it show me on "devices" that I am logged in anywhere else but on my desktop browser. But I am logged in via Mail app on my iphone, as well as the Microsoft Authenticator App. Should this activity not be showing up on my "Recent activity"? Isn't it kind of important to know not just when there are unsuccessful sign-in attempts, but -- even MORE important -- when there are SUCCESSFUL sign in attempts? Without that information, how on earth would I ever know if someone has successfully hacked into my account?

#3: I recently received a notification from my MS Authenticator App that I did not trigger myself (at least I was not manually attempting to login anywhere). However I did notice a few minutes ago that I was logged out of the iOS Mail app. Could this Authenticator App notification have been triggered by my iOS mail app automatically trying to login to my account after getting disconnected? (Does the iOS mail app do that?)

Thanks in advance for your help.

Answer 1

Dear toziveyi,

Thank you for posting in the Microsoft Community.

According to your description, you have questions about the "Recent Activity Page" feature. Let's study these issues together.

------------------------------------------------------------------------

1.I indeed haven't found the option to report suspicious activities on the "Recent Sign-In Activity" page. In this regard, I need you to provide me with the document you referred to so that I can investigate.

------------------------------------------------------------------------

2. Regarding the sign-in activity records, please refer to the instructions in the part shown in the following picture of this document:

What is the Recent activity page? - Microsoft Support

This means that if you logged into this account at the same location not long ago, the "Recent Sign-In Activity" page may not display this sign-in activity.

I just tested re-signing in to one of my Outlook accounts on my iPhone mail app and received the sign-in activity prompt shown in the following picture. You can delete the current account and try adding it again to see if you get this activity record.

Both failed and successful sign-in activities will be recorded on this page.

------------------------------------------------------------------------

3. The notification from this Authenticator app seems more like an attempt by someone else rather than an automatic reconnection notification sent by the Mail app. When my Microsoft mailbox on my own device disconnected automatically, I didn't receive additional notifications sent by the Authenticator.

I know that you use a strong password and have enabled two-step verification. These steps can greatly enhance the security of your account. However, as long as the hacker has marked your address, these automated attempts will still exist.

Based on my communication with other users, to improve this situation, you can try "revoking the sign-in permission of the current account alias ", which can very effectively prevent intruders who already know your account name.

To do this:

1. Please open the webpage account.live.com and log into your Microsoft account.
2. Then click on [Your info] on the left side, and then click on [Edit account info] on the right side of the opened screen.
3. In this interface, you can add an alias for your account as a new login name. It is recommended that you create an alias with the extension of @outlook.com.
4. Then, you need to click on [Make primary] on the right side of the new alias to make it the primary alias. After that, click on [Change sign-in permissions] at the bottom and remove the check mark in front of the current account name.

After completing the above steps, the login permission of the previous account name will be revoked. You can test this by entering your account name on the login screen. Microsoft will remind you that the username does not exist, and neither you nor hackers will be able to use this address to log in to the account during this period.

Please note that you are only temporarily revoking the login permission of the current account. Do not delete the alias of the current account! Once an alias in the Microsoft domain is deleted, it cannot be recovered.

Please remember the account name you have changed. In addition, we have also tested that you can still use this account name to send and receive emails, and the sender can use your account name as the recipient of the email, and the email function will not be affected.

Generally, these types of automatic login intrusions are carried out by automated scripts, which will give up relogging in after multiple attempts to use non-existent accounts. You can check whether your account is still under attack by re-enabling the login access to the account name 5 - 7 days after changing the alias.

I hope my explanations can provide you with some references. Feel free to post back if you need further assistance.  Wish you have a good day!

Best Regards,

Ulrica.W - MSFT | Microsoft Community Support Specialist

Answer 2

This is extremely helpful. Thank you so much! I will take these steps and let you know if I continue having any problems.

Answer 3

Dear toziveyi,

Thank you for taking the time to try it out, I will continue to monitor your issue.

Best Regards,

Ulrica.W - MSFT | Microsoft Community Support Specialist