Understanding Microsoft Account Fatigue Attacks and Security Recommendations

Previously, a hacker team demonstrated fatigue attacks on Microsoft accounts, where after obtaining a user's email, they continuously send login requests that trigger the Microsoft Authenticator, forcing the user to repeatedly approve or deny the sign‑in.

To mitigate this, Microsoft now requires an additional numeric verification step after the user clicks “Approve”; the login succeeds only if the entered number matches the one displayed on the website, making accidental approval unlikely.

Recent reports suggest a surge in such attacks, likely driven by credential‑stuffing where hackers acquire large numbers of Microsoft credentials from leaked databases and launch automated fatigue attacks.

Recommended defenses include immediately changing the compromised account password to a unique, high‑entropy password generated by a password manager.

Microsoft accounts now support Passkeys; users can delete the password entirely and rely on a Passkey for authentication.

If using Microsoft Authenticator, consider disabling it and switching to a pure six‑digit authenticator (e.g., Google Authenticator) that does not send push notifications, preventing attackers from exploiting repeated prompts.

Another effective measure is to change the email address bound to the Microsoft account and deactivate the old address, rendering stolen credentials unusable.

Compromise of a Microsoft account can expose OneDrive files, BitLocker recovery keys, Outlook/Hotmail emails, and other personal data, so users with sensitive information should prioritize securing their accounts.