I keep getting password reset emails that I didn't request.

Question

These appear to me legitimate Microsoft emails. What should I do to secure my account?

Answer 1

Hi,

If you are getting a single use code that you did not request, it could mean that someone accidentally entered your email address, or someone may be trying to access your Microsoft account.

If you did not request the code yourself, do not share or use the code. The good thing is that receiving the code alone does not mean your account has been accessed.

To help secure your account, I suggest the following:

• Change your Microsoft account password immediately and make sure it is strong and unique.

• Review your recent sign in activity here to check for unfamiliar login attempts: https://account.microsoft.com/security

• If you notice unfamiliar sign in attempts from unknown locations or devices, choose the option that says “This wasn’t me” on the activity page to report the activity to Microsoft.

As an additional security measure, please see “How to help keep your Microsoft account secure.”: https://support.microsoft.com/account-billing/how-to-help-keep-your-microsoft-account-secure-628538c2-7006-33bb-5ef4-c917657362b9

Answer 2

If password reset or verification-code emails are arriving without being requested, treat it as possible unauthorized sign-in attempts and immediately secure the account.

1. Verify the emails are legitimate

• Confirm the sender domain is @accountprotection.microsoft.com or ******@accountprotection.microsoft.com.
• If unsure, inspect the message headers or see guidance on recognizing phishing messages.

2. Check recent sign-in activity

• Go to the Security basics page and sign in.
• Select Review activity to open the Recent activity page.
• Look for unfamiliar locations, devices, or sign-ins:
  • If an event appears under Unusual activity, expand it and select This wasn’t me.
  • If it appears under Recent activity, expand it and select Secure your account.

3. Change the password immediately

• From the Security basics page, select Change password.
• Create a strong, unique password that is not used on any other site.

4. Strengthen sign-in security

• Turn on two-step verification / multifactor authentication if not already enabled.
• Add another way to sign in or verify identity:
  • On the Advanced security options page, select Add a new way to sign in or verify and configure an alternate email, phone, or app.
• Consider going passwordless using Microsoft Authenticator, Windows Hello, SMS codes, or security keys as described in the passwordless guidance.

5. Review and update security info

• Ensure all phone numbers, email addresses, and authenticator apps listed for verification are current and belong to the legitimate owner.
• Remove any unfamiliar or outdated security info.

6. Keep devices secure

• Make sure the operating system and browser are fully updated.
• Use reputable antivirus software and keep it updated.

7. Ignore unrequested codes

• Do not enter or respond to verification codes that were not requested.
• The account remains safe as long as those codes are not provided to an attacker.

If sign-in is not possible because someone changed the password, follow the steps under When you can’t sign in to your Microsoft account and, if prompted, choose I think someone else is using my Microsoft account to start account recovery.

---

References:

• Can I trust email from the Microsoft account team?
• What happens if there's an unusual sign-in to your account
• Help protect your Outlook.com email account
• How to help keep your Microsoft account secure
• Common problems with two-step verification for a work or school account