A wave of unsolicited Microsoft verification codes is sweeping across Portugal and other regions in early 2026, triggering alarms among users who never attempted to sign in. Recipients report receiving SMS messages, emails, and Microsoft Authenticator prompts that contain legitimate-looking multi-factor authentication (MFA) codes without any login activity of their own. These incidents, which spiked on community forums and social media in January 2026, point to a surge in credential-based attacks targeting Microsoft accounts.

Security researchers and Microsoft insiders point to several likely causes, but official statements remain cautious. The phenomenon reveals a troubling trend in the MFA landscape: the very system designed to protect accounts is now being weaponized to confuse and panic users. This in-depth analysis breaks down what’s happening, why it’s happening, and how to respond without falling into the attacker’s trap.

Understanding Unsolicited Microsoft Verification Codes

When a user enables MFA on a Microsoft account—whether personal, work, or school—the system sends a one-time code whenever a login attempt is made from an unrecognized device or location. The code arrives via SMS, email, or a push notification in the Authenticator app. For a successful authentication, the code must be entered correctly or the push approved.

Unsolicited codes arrive without the user initiating anything. The recipient is left staring at a prompt that says “Approve sign-in?” or a text with a six-digit number, even though they haven't typed a password anywhere. In many cases, the notifications continue for hours or days, sometimes intensifying overnight—a telltale sign of automated attack scripts.

Microsoft’s security infrastructure is designed to send these codes only after a valid password has been entered. That means the attacker already has the user’s password and is now trying to break through the MFA barrier. This is not a glitch in Microsoft’s notification system; it’s a live attack in progress.

Where the Reports Are Coming From

Portugal emerged as a hotspot in December 2025, with local tech forums and social media groups flooded with complaints. Users described receiving codes at all hours, with some noting that the messages appeared to originate from official Microsoft shortcodes or verified email addresses. Similar reports quickly followed from Brazil, Spain, and the United States.

The cross-border nature points to a large-scale credential-stuffing operation. Attackers likely obtained massive caches of username/password pairs from third-party data breaches and are now systematically trying them on Microsoft’s login endpoints. Tools that automate these attempts are cheap and readily available on dark-web markets.

Notably, many affected users have Microsoft accounts that use email addresses also exposed in recent known breaches, such as the 2024 LinkedIn scrape, the 2025 Dropbox leak, and numerous smaller breaches combined into credential lists. One Portuguese user on the WindowsForum said, “I use a unique password for Microsoft, but my email was in three breaches last year. Now I keep getting codes.” That matches the pattern: a reused password isn’t necessary for credential stuffing; any old, compromised password can be tried, and if it’s the one currently in use, the system will send an MFA code.

Why Attackers Do This – and What They Want

The unsolicited code isn’t the endgame; it’s a mid-step. Attackers need the code to complete the login, but they can’t intercept it unless they have also compromised the email account, phone number, or authenticator app. So why the flood? Several motives are at play:

  • MFA Fatigue / Prompt Bombing: Attackers hope the user will eventually approve a push notification or enter the code just to stop the harassment. This tactic, widely documented in attacks against enterprise environments like Uber and Cisco, relies on human frustration. Even a single careless approval can grant access.
  • Fear and Spoofing: The attacker may follow up the code with a phishing call, email, or SMS claiming to be Microsoft support and asking for the code. A panicked recipient, thinking their account is under active breach, might hand over the code, believing it’s a security verification.
  • Credential Validation: Even if the attack fails, the attacker learns that the password is correct—this is a valid credential pair that can be sold on dark-web markets for a higher price.
  • Session Theft / Token Replay: More sophisticated attacks involve malware that steals session cookies or tokens. In such cases, the attacker may already have a valid session and is triggering MFA prompts to distract the user while they abuse the stolen session.

The end goal ranges from simple identity theft to espionage, depending on the account. Personal Microsoft accounts can unlock Xbox purchases, Outlook emails, OneDrive files, and linked services. Compromised corporate accounts tied to Entra ID (formerly Azure AD) can lead to full network intrusions.

The Enterprise Angle: Entra ID in Focus

For organizations using Microsoft 365 and Entra ID, unsolicited verification codes targeting employees are a red flag. Attackers may have harvested corporate credentials through phishing or malware and are now trying to move laterally. An employee receiving unexpected codes could indicate a broader breach attempt.

Microsoft’s Entra ID offers advanced protections that can mitigate these attacks, but only if configured correctly. Features like Conditional Access, risk-based policies, and passwordless authentication can stop automated attempts before MFA challenges are even issued. However, many tenants still rely on per-user MFA settings without fine-tuning.

A senior incident responder at a European MSSP, who spoke on condition of anonymity, noted: “We’re seeing a rise in user complaints about random codes, and sometimes it’s simply credential stuffing, but other times it’s the first sign of a targeted attack. If the attacker is on your VPN or already has a token, the MFA prompt is a smokescreen.”

Microsoft’s security defaults, introduced in 2019 and updated continuously, have reduced risk for smaller customers. Yet, users with legacy settings—like those who set up MFA before security defaults became the norm—might be more exposed.

What Microsoft Says, and What It Doesn’t

As of late January 2026, Microsoft has not released a formal advisory about the unsolicited code spike. However, its standard guidance on unauthorized MFA prompts remains consistent: if you receive a code you didn’t request, change your password immediately and review recent sign-in activity.

The Microsoft Security Response Twitter account posted a generic reminder on January 22: “Unexpected MFA prompts could indicate that someone has your password. Change it urgently and consider going passwordless.” The tweet didn’t reference any specific campaign or region.

Internally, sources say, the Redmond giant is aware of the uptick and is monitoring the situation. The problem is that the activity itself—automated login attempts—isn’t new. Microsoft blocks billions of brute-force attacks daily. The current wave is likely just a larger-than-usual credential-stuffing surge that’s finally catching public attention because MFA is now so widespread.

For users, the lack of a branded attack name or dedicated response can feel dismissive. But Microsoft’s silence is typical: acknowledging a surge can fuel copycats, and the underlying issue is not a Microsoft vulnerability but a user behavior one—password reuse across services.

Dissecting the Technical Route of a Typical Attack

To understand how unsolicited codes arrive, it helps to trace the attack flow:

  1. Credential Harvesting: The attacker obtains a username and password from a data breach or infostealer malware.
  2. Automated Login Script: Tools like Sentry MBA, OpenBullet, or custom Python scripts are configured to target Microsoft’s login endpoints (login.live.com or login.microsoftonline.com).
  3. MFA Triggered: Microsoft’s backend validates the password and, because MFA is enabled, issues a challenge via the user’s configured method.
  4. Code Sent: The user receives the code via SMS, email, or Authenticator push.
  5. Attacker’s Next Move: Without the code, the attacker cannot proceed unless they can intercept it. But if they have control over the user’s email or SIM, they can obtain the code. Otherwise, they resort to MFA fatigue or follow-up phishing.

This explains why some users see multiple codes in rapid succession: the script can trigger a new request every few seconds. Microsoft’s rate limiting and IP-throttling mechanisms kick in, but determined attackers rotate IPs and use residential proxies.

SMS vs. Authenticator: Different Risks

SMS-based codes are inherently less secure because they can be intercepted via SIM swapping or SS7 attacks. In 2026, SIM swapping remains a lucrative business, especially in regions where mobile carriers have lax identity-verification procedures. If a user receives unexpected SMS codes, it could mean their phone number is already being targeted for takeover.

Authenticator push notifications, on the other hand, are more secure because they are encrypted and tied to a specific device. But they aren’t immune: push-based MFA fatigue attacks have proven devastating in enterprise breaches. Admins should enforce number matching in Microsoft Authenticator to prevent simple “approve” taps from granting access.

Regional Focus: Why Portugal?

Portugal’s disproportionate presence in the reports raises questions. Cybersecurity firms tracking credential-stuffing campaigns often see regional spikes when a new malware distribution campaign hits a specific country, or when a large local breach has exposed a fresh batch of emails.

In late 2025, a Portuguese e-commerce platform suffered a data breach that leaked 2.4 million user records, including email addresses and weakly hashed passwords. That data set appeared on RaidForums and BreachForums within days. Security analysts believe this breach, combined with Portugal’s high mobile-phone penetration and widespread use of Microsoft services, created a perfect storm.

Moreover, the Portuguese language itself has become a target for vishing (voice phishing) campaigns. Attackers based in Portuguese-speaking countries can call affected users, spoofing Microsoft’s local support number, and coax the verification code out of them—often speaking with convincing fluency. Social media posts describe calls from individuals claiming to be from “Microsoft Portugal” who ask for the six-digit code to “stop the attack.”

How to Protect Your Microsoft Account Right Now

If you’re receiving unsolicited verification codes, immediate action is critical:

  • Change your password without delay. Use a strong, unique password—ideally a passphrase of at least 16 characters. If you’ve reused that password elsewhere, change it everywhere.
  • Enable passwordless authentication. Microsoft allows you to remove the password entirely from your account, using the Authenticator app, Windows Hello, or a security key. This completely eliminates the credential-stuffing risk. From your Microsoft account security page, select “Advanced security options” and follow the passwordless setup.
  • Check sign-in activity. In your Microsoft account, navigate to Security > View my sign-in activity. Look for unsuccessful login attempts from unusual locations or IPs. Microsoft marks suspicious attempts with a shield icon. If you spot them, it confirms that your password is compromised.
  • Revoke app passwords. If you’ve created app-specific passwords for Outlook or other clients, delete them and generate new ones if necessary. These passwords bypass MFA and are a goldmine for attackers.
  • Add an alias for login. Microsoft allows you to create a new email alias and set it as the only login method. This immediately stops attacks on your old email address. The old address can remain as a recovery option without being used for sign-in.
  • Review MFA methods. Remove old phone numbers or email addresses. Consider switching from SMS to the Authenticator app or a FIDO2 key.

For enterprises, the above applies, plus:

  • Enforce strong MFA with number matching. In Entra ID admin center, configure authentication methods policy to require number matching for push notifications.
  • Implement risk-based Conditional Access. Use sign-in risk policies to block or require additional verification for medium-risk and high-risk sign-ins.
  • Monitor sign-in logs via Sentinel or Azure Monitor. Look for patterns of “interrupted” MFA challenges—these are attempts that reached MFA but were not completed. A spike can indicate a stuffing attack.
  • Conduct user awareness training. Tell employees to never approve an unexpected MFA prompt and to report it immediately.

The Evolving Threat Landscape: MFA Is Not a Silver Bullet

The rise in unsolicited codes underscores a hard truth: MFA alone is insufficient against modern attack techniques. Credential stuffing, MFA fatigue, token theft, SIM swapping, and adversary-in-the-middle (AiTM) phishing kits all target MFA failures. Even Microsoft’s own numbers show that MFA reduces the risk of account compromise by 99.9%, but that remaining 0.1% represents millions of breaches annually.

Phishing kits like Evilginx and Tycoon2.0 can intercept MFA codes in real-time by proxying the login session. Unsolicited code floods often coincide with such attacks—distracting the victim while the real theft occurs. In 2026, attackers increasingly combine automated stuffing with live social engineering, a hybrid approach that demands layered defenses.

Passwordless technologies using FIDO2 and biometrics offer stronger resistance because they eliminate the shared secret. When you sign in with a PIN and your device’s TPM chip, there’s no credential to be stuffed and no code to be intercepted. Microsoft has been pushing passwordless for years, and the current surge might be the tipping point that drives mass adoption.

Microsoft Authenticator’s Evolving Role

Microsoft Authenticator now includes a feature called “Match codes” that requires users to type a two-digit number displayed on the sign-in screen, preventing accidental approval. It also supports countdown timers and location-based information to help users spot rogue requests. But these features are only effective if users pay attention—and the fatigue attack preys on the opposite.

Another emerging tool is the “Verified Push” concept, where the Authenticator app shows the application name, sign-in location, and a unique number the user must enter. This makes it harder for attackers to shove through fake prompts. Still, the human factor remains the weakest link.

What’s Next? Predictions and Precautions

The unsolicited code wave of early 2026 is unlikely to subside soon. As long as compromised credential databases remain active, attackers will keep hammering Microsoft accounts. However, several developments could shift the dynamics:

  • Microsoft’s eventual password elimination. In 2025, Microsoft announced that personal accounts would soon be allowed to go fully passwordless by default. If the rollout accelerates, credential stuffing against Microsoft accounts will become impossible.
  • AI-driven defense mechanisms. Microsoft’s Intelligent Security Graph already uses machine learning to detect and block suspicious sign-ins. Future iterations may automatically lock accounts that receive an abnormal volume of MFA challenges, creating a self-healing loop.
  • Regulatory pressure. With GDPR fines for data breaches and new EU cybersecurity regulations, companies that fail to implement proper MFA will face steeper penalties. This could indirectly reduce corporate account takeovers.
  • Better user education. The current panic shows that most people still don’t understand what an unsolicited MFA prompt means. As awareness grows, users will become less likely to fall for follow-up phishing.

For now, the best defense is to assume your password is already out there. Transition to passwordless, use the Authenticator app with number matching, and never, ever share a verification code with anyone.

Microsoft’s motto, “Your account, your responsibility,” has never been more apt. The verification code you didn’t ask for is a klaxon, not a bug. Ignoring it won’t stop the thieves, but the right steps will lock them out for good.