Forum Discussion

Rosine_LEROY's avatar
Rosine_LEROY
Copper Contributor
Oct 28, 2024

OTP Code via SMS from non microsoft number

Hi Microsoft Team, Good day!

For a few weeks now, many people around me have been receiving their OTP code for MFA via SMS often from unknown senders (non-Microsoft phone number). The sender of the SMS doesn't use an official Microsoft phone number and "Microsoft" is not displayed as the sender.

I would like to request assistance on how to verify that these numbers are legitimately from Microsoft.

41 79 998 76 61 and 4915758307532.

Many thanks for your help.

Kind regards, Rosine

  • ehalmiTke's avatar
    ehalmiTke
    Copper Contributor
    Hello Rosine,

    Thank you for raising this concerning situation. I would suggest to utilize Sign-in logs and filtering in the reported users. In there, you may see what attributes such as device type, application and location so you can better understand if the sign-in attempts are suspicious (for example unknown location). Additionally, you may utilize Identity Protection > Report > Risky users/risky sign-ins. Within there, you may see what Azure has supposedly understood about the user's sign-in, determine if it's thread actor and remediate by changing password for the user.

    Relevant Document: https://learn.microsoft.com/en-us/entra/id-protection/id-protection-dashboard

    Let me know if questions arise or how it goes.
    • Rosine_LEROY's avatar
      Rosine_LEROY
      Copper Contributor
      Actually, we already investigate the Sign-in Logs and haven't found any suspicious attempt or even unfamiliar successfull logons for the accounts that received these OTP SMS from non-Microsoft phone number. We would like to know if it is normal (expected) to receive an OTP code from a non-Microsoft number, from WhatsApp, from SIMBoss ... ?
      Many thanks in advance for your answers. Kind regards, Rosine
      • ehalmiTke's avatar
        ehalmiTke
        Copper Contributor
        Hello,

        Microsoft usually doesn't send OTP codes over third-party such as WhatsApp. This may be simple SMS-phishing, especially if there is a link or urgency.

        SMS OTP is always sent over phone number and it looks like the following parsing:
        Use verification code ###### for Microsoft authentication.
  • Rosine_LEROY's avatar
    Rosine_LEROY
    Copper Contributor

    Hello,

    The SMS OTP is actually sent from a normal phone number (from the country the person is from), but through WhatsApp. The parsing described above is used in the messages we have seen. Can you please confirm that this method can be used by Microsoft MFA system? 

    As mentioned in this post: https://www.linkedin.com/posts/rnagbanshi_phone-authentication-methods-microsoft-activity-7120523314753679360-Cc-F

Resources