Microsoft Security | Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation
Microsoft won't give me back my hacked account despite evidence
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 71%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
Nathan
0
Reputation points
My Microsoft account was stolen through a sophisticated Discord phishing bot and Microsoft has permanently suspended it instead of returning it to me. Has anyone dealt with this and found a way to escalate properly?
HOW IT HAPPENED:
I was invited through Minecraft to join a Discord server called Bedwars Tournaments. A bot posted a message titled Account Verification Required with a Link Account button, claiming it used Minecraft's official User Systems API. The process only asked for my Minecraft username, not my email or password. After entering my username, my Microsoft Authenticator app displayed a number prompt with no Microsoft branding and no indication it was authorising account access. I approved it believing it was part of a routine Minecraft verification process.
This was an Adversary-in-the-Middle phishing attack. The attacker used the verified session to immediately change the account email, reset the password, add their own authenticator, and remove all recovery methods. I want to be clear I did not enter my email or password at any point. The authenticator prompt gave zero indication it was authorising a full Microsoft account sign in.
WHAT MICROSOFT HAS DONE:
- Confirmed unauthorised access occurred under two separate service requests
- Permanently suspended the account instead of restoring it
- Told me to create a new account and repurchase Minecraft
- Every escalation path leads to enforcement.xbox.com which I cannot access because the email was changed by the attacker
WHAT PROOF I HAVE:
- Original account creation email
- Minecraft purchase confirmation with order number
- Bank statement confirming payment to MICROSOFT*STORE on the same date
- Microsoft generated recovery code created on the same day as purchase
- Microsoft security emails showing exactly when the attacker made changes
- Xbox app showing the account on my personal device
- Windows Diagnostic Data Viewer confirming the Xbox Device ID tied to my machine
- Screenshot of the Discord phishing bot used in the attack
None of this evidence has been reviewed. The cases were closed before I compiled it and my follow up emails received no reply.
I ALSO WANT TO RAISE A SECURITY CONCERN:
This attack worked because a single one-time authenticator code immediately granted full access to change emails, replace authenticators, and wipe recovery methods with zero additional verification. Microsoft should require a second verification step before security settings can be changed, and there should be a cooldown before a new email can become the primary account email. This attack has happened to many people and the fact it keeps working points to a gap in Microsoft's security model, not just user error.
Has anyone successfully escalated a confirmed account takeover past the standard support wall? Is there a direct contact or process that actually results in a human reviewing the evidence? Any advice appreciated.
Microsoft Security | Microsoft Authenticator
Sign in to answer