Forum Discussion

Ketchupp's avatar
Ketchupp
Copper Contributor
Mar 21, 2026

Hackers keep getting prompting me for a code on authenticator

Hello,

 

I'm noticing that I get a random prompt for a code on the Authenticator app whose location appears to be in the Netherlands.  I'm under the impression that these hackers just try logging into numerous accounts hoping that their victims will unknowingly push on a confirmation number and let them in.  Is there a way to help prevent this?  I would imagine that preventing logins based on unusal locations would help stop it but would like to hear your take.

 

Thanks!

Account Management
Login
Notifications

3 Replies

  • decipherpunk's avatar
    decipherpunk
    MCT
    May 28, 2026

    Hi Ketchupp,

     

    TLDR- rotate the password to something brand new, add a passkey, and the spam dies off on its own.

     

    You've nailed the diagnosis, this is MFA push fatigue. They have your password from somewhere have you checked haveibeenpwned.com, almost always an old third-party breach, and they're hoping you'll tap Approve on autopilot. The Netherlands location is just where their VPN/proxy exits, not actually where they are.

     

     Talking out of experience, I was personally banned/revoked out of MCT itself which came as a surprise email to me, only to realize my account password exposed in a 3rd party breach & later got them access to my account & training licenses which were misused. Target maybe.

     

    A few things on top of what's already been said here:

     

    The fact that you're getting a number prompt & not a Yes or No tap means number matching is already on Microsoft made that mandatory i suppose in 2023, so the "accidentally approve" risk is mostly closed.

     

    The single highest leverage move is adding a passkey to your account account.microsoft.com > Security > Advanced > Add a sign-in method > Passkey, then turning on Passwordless account. That removes the password from the auth equation entirely, and the push spam stops within a day or two because there's nothing for the attacker's stolen password to match, And on the Passkey if you are buying Security keys like Yubikey might as well two.

     

    Take a look at your sign-in activity at account.live.com/activity confirm none of those Netherlands attempts actually succeeded.

     

    On geo blocking: you're right that it would help, but Microsoft only exposes that control for work or school accounts via Entra Conditional Access. For personal accounts there's no equivalent toggle your personal stance should be strong auth passkey & number-matching MFA is the protection, not geo-restriction, because consumer geofencing locks people out when they travel or use a VPN.

     

    In fact, I am writing this response after 3 years because after getting access back to at least for now to lounge. 

     

    Cheers,

    Decipher Punk

     

     

  • Hornblower409's avatar
    Hornblower409
    Iron Contributor
    Mar 29, 2026
    Ketchupp wrote:

    Is there a way to help prevent this? 

    Yes. Create a Login Only Alias and disable Sign-In for your current email address. Then, if all the Bad Guys have is your old email alias, they get "This username has been turned-off for sign in" at the very first step of the logon process and can not continue.

    See the answer by "Hornblower409 Feb 27, 2026" in
    https://learn.microsoft.com/en-us/answers/questions/5789093/i-get-a-few-2fa-notifications-from-canada-daily-us

     

     

  • Surya_Narayana's avatar
    Surya_Narayana
    MCT
    Mar 29, 2026

    hi Ketchupp​  You’re exactly right about what’s happening this is a known tactic called “MFA fatigue” or “push bombing.” Attackers already have your password (often from leaks) and keep trying to sign in, hoping you’ll accidentally approve a prompt in the Microsoft Authenticator.

    The good news: they’re not getting in unless you approve it but you should still lock this down.

    What you should do right away

    Change your password (strong + unique)

    • Make sure it’s not reused anywhere else

    Enable “number matching” in Authenticator

    • This is critical it forces you to enter a number shown on the login screen
    • Prevents accidental approvals

    Remove password sign-in (if possible)

    • Turn on passwordless sign-in in your Microsoft account
    • This blocks attackers who only have your password
    • Strengthen your security

    Check your sign-in activity

    • Look for unfamiliar locations/devices
    • Remove anything suspicious

    Add another verification method

    • Backup email or phone (in case you lose access)

    Sign out of all sessions

    Forces re-authentication everywhere

    About blocking locations (your question)

    Yes ,blocking unusual locations does help, but:

    For work accounts, admins can enforce this via Microsoft Entra ID (Conditional Access policies)

    For personal accounts, you don’t get full geo-blocking controls

    So the best protection for personal use is:

    Strong password

    MFA with number matching

    Passwordless sign-in

    Important reminder

    Never approve: Random prompts and Requests you didn’t initiate

    If you keep getting them, it’s a signal your password is already exposed somewhere.