![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 79%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGH%3C/text%3E%3C/svg%3E)
The repeated texts and calls mean someone (or something automated) is repeatedly trying to sign in using your account identifier, but they still need your second factor/passkey, so they cannot complete sign-in.
To reduce or stop these attempts and keep the account secure:
- Do not respond to unrequested codes
- Ignore all verification codes and prompts that you did not initiate. Without the code or your passkey, the attacker cannot get in.
- This guidance applies both to personal Microsoft accounts and work/school accounts.
- Review recent activity and secure the account
- Sign in to your account and check the Recent activity page to confirm which sign-ins are yours and which are not.
- If any activity is not recognized, follow the prompts there to secure the account (change password, review security info).
- Strengthen sign-in with passwordless methods
- Since a passkey is already used, keep it enabled and ensure no weaker methods are left that an attacker could exploit.
- For additional protection and convenience, consider going fully passwordless using Windows Hello, Microsoft Authenticator, SMS/Email codes, or a physical security key as described in the passwordless guidance. This reduces reliance on passwords that can be guessed or phished.
- Verify and clean up security info
- Check the phone numbers, email addresses, and apps listed as security info on the account.
- Remove any phone/email or authenticator app entries that are not recognized.
- Expect some attempts to continue
- Microsoft cannot fully prevent someone from typing the email/phone on a sign-in page, but the protections in place (2FA, passkeys, unusual-activity detection) block unauthorized access.
- When unusual sign-in attempts occur, Microsoft will continue to send alerts (email/SMS) so that any real compromise can be detected quickly.
If the volume of alerts is very high and persistent, use the security pages to verify everything is correct, then rely on passwordless/strong MFA and continue to ignore any codes or prompts that are not initiated personally.
References:
