Severe MFA push spam on Microsoft consumer account

Question

I’ve been getting more than 20 Microsoft Authenticator prompts per day on my personal outlook.com account, and this has been happening continuously for a long time. This is not occasional or temporary. I do not open or approve these prompts. I haven’t signed in anywhere myself and I only use this account on my own devices.

This is a Microsoft consumer account, not an Entra ID / work or school account. As far as I can tell, outlook.com does not provide detailed sign‑in logs like business accounts do, so I have no visibility into where these attempts are coming from or what exactly is happening on Microsoft’s side.

To rule out compromised sessions or stale trust relationships, I’ve already removed all apps linked to the account, signed out of all devices, and revoked existing sessions. The password was recently fully reset and is long and unique. MFA has been enabled for years. Despite all of this, the Authenticator challenges continue nonstop, dozens per day.

The impact is more than just annoying. Constant MFA push notifications create alert fatigue and increase the risk of accidental approval, which is widely considered a security anti‑pattern. That this is possible at this scale on a consumer account feels like a structural issue in how Microsoft protects these accounts.

My question is very concrete: has anyone experienced this with an outlook.com account, and how did you actually fix it? I’m not looking for theoretical best practices, but for a mitigation that truly stops these prompts from continuing. I’m especially interested in whether this is known behavior of Microsoft consumer identity and whether there are any real solutions short of abandoning the account entirely.

Answer 1

This behavior is consistent with repeated, unauthorized sign-in attempts that keep triggering MFA on the account. For consumer Microsoft accounts there is no admin portal or detailed sign-in log, so mitigation focuses on hardening the account, cutting off any remaining access paths, and changing how MFA is delivered so that push spam is no longer effective.

Concrete mitigations that can actually stop or neutralize the prompts:

1. Eliminate any non‑MFA or weaker auth paths

• Make sure the account is no longer used with Basic authentication in any legacy clients (for example, old Outlook or third‑party mail apps). Basic auth is being removed and is a common target for password spraying and brute‑force attempts, which can generate many MFA prompts.
• If any such apps are still configured, remove the account from them and re‑add using Modern authentication (OAuth) only, as described in the Outlook.com guidance. This reduces the surface for automated attacks that repeatedly hit the account.

2. Force sign‑out and revoke suspicious access

• Use the Microsoft account security pages (for consumer accounts) to:
  • Sign out of all active sessions.
  • Review and remove any unknown app permissions or connected apps.
• This step is important if an attacker previously granted a malicious app or session that keeps attempting sign‑ins in the background.

3. Change how MFA is used to defeat push spam

• For consumer accounts, Microsoft Authenticator supports both:
  • Push notifications (approve/deny), and
  • Time‑based one‑time passcodes (codes generated in the app without any prompt).
• To stop the push spam effect while keeping MFA:
  • Turn off or stop using push approvals for this account in Authenticator and instead use the OTP code from the app when prompted.
  • This way, repeated sign‑in attempts will no longer generate intrusive prompts; the attacker’s attempts will simply fail without bothering the user.
• If SMS or phone call is configured as an additional method, consider switching the primary method to app‑based OTP codes, as recommended in the MFA FAQ for reliability and security.

4. Use alternative verification methods when needed

• If push notifications are being abused, use a different verification method (such as SMS or alternate email) temporarily when signing in, as suggested in the Authenticator and MFA troubleshooting guidance. This allows continued access while push is effectively ignored or disabled.

5. Monitor and, if necessary, reset MFA registration

• If the prompts continue even after changing password, signing out everywhere, and switching to OTP codes, the next escalation is to reset MFA registration for the account and re‑enroll the Authenticator app from a clean device. This breaks any stale or misconfigured MFA bindings that might be contributing to repeated prompts.

6. Treat the pattern as a brute‑force attack and rely on Microsoft’s risk controls

• The MFA investigation guidance for Entra ID describes spikes in MFA prompts as often being brute‑force activity. While consumer accounts lack the same portal views, the underlying principle is the same: Microsoft’s risk engine will continue to block sign‑ins without the correct second factor.
• As long as prompts are consistently denied and the password is strong and unique, the account remains protected; switching away from push approvals removes the alert‑fatigue risk.

In practice, users who have faced persistent MFA push spam on Microsoft accounts have resolved it by:

• Removing any legacy/Basic‑auth clients and re‑adding accounts with Modern auth only.
• Signing out everywhere and revoking unknown app permissions.
• Disabling or effectively abandoning push approvals and using app‑generated verification codes instead, so repeated attacks no longer generate prompts.

---

References:

• Outlook and other apps are unable to connect to Outlook.com when using Basic authentication
• Frequently asked questions about Microsoft Entra multifactor authentication
• Troubleshoot problems with Microsoft Authenticator
• Troubleshoot Microsoft verification code issues
• How to investigate sign-ins requiring Microsoft Entra multifactor authentication
• Microsoft Authenticator FAQs
• Using Outlook mobile to sign in