A few days ago I was hit by a ClickFix attack (the type that tricks the victim into pasting a malicious command into a terminal). Since then I have completed the following remediation steps:
- Clean reinstall of Windows
- Full antivirus scan (no findings)
- Microsoft account password change
- "Sign out everywhere" executed
Despite all of this, I'm observing the following behavior:
When I attempt to sign in to my Microsoft account myself, the Microsoft Authenticator push notification arrives normally on my Android phone as an OS-level push (appearing on the lock screen and notification shade).
However, when I open the Microsoft Authenticator app directly, I find additional pending approval requests that I never initiated — presumably from attackers attempting to access my account. These appear with the standard number-matching prompt (3 two-digit options) and an active "Deny" button, meaning they are not yet expired. The location shown is, for example, "iOS via Malaysia," which is clearly not me.
For these suspicious attempts, no OS-level push notification ever reaches my phone — I only see them when I actively open the app. My phone's notification settings for Authenticator are correctly enabled, as confirmed by my own sign-in attempts triggering OS push normally.
Could you please clarify:
- Is Microsoft's risk-detection system intentionally suppressing OS-level push notifications for suspicious sign-in attempts (e.g., from unusual geolocations) while still recording them inside the app?
- Are these in-app entries genuine real-time sign-in attempts, or are they residual records of attempts that have already been blocked / expired server-side?
- Even if I never tap "Deny," are these attempts being effectively blocked? My Recent Activity page shows no successful unauthorized sign-ins.
- What additional steps can I take to stop these attempts at the source — for example, disabling sign-in for the (presumably leaked) email alias?
Additional context:
- Passwordless sign-in is disabled on my account
- 2FA is enabled (password + Authenticator)
- The ClickFix payload likely exfiltrated my email address, which may now be circulating on credential lists
Thank you for any guidance.
Thank you for any guidance.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 32%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJP%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 49%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIT%3C/text%3E%3C/svg%3E)