Is the Microsoft "Your single-use code" email a scam?

It looks like many people are suddenly getting flooded with Microsoft passwordless sign-in emails containing legitimate verification codes. The emails are real, but you definitely did not request them.

According to cybersecurity researchers, threat actors are carrying out a massive account enumeration attack. They are using leaked email databases to blast out these requests at scale. The goal is to figure out which email addresses are actually linked to active Microsoft accounts.

The panic started brewing over the weekend. A user on the r/GMail subreddit asked if the sudden influx was something to worry about. A commenter said the email is technically authentic, but the login attempt is entirely malicious.

It is starting to look like a coordinated effort. A separate thread on r/cybersecurity dug into the mechanics of the attack. The OP mentioned that attackers are just entering addresses into the login portal to trigger the code. If Microsoft sends the email, the attackers know the account exists.

This sets the stage for credential stuffing or targeted phishing down the line. We saw a similar probing tactic recently with the PayPal 1 HUF payment scam. Bad actors wanted to test the waters before diving in.

A threat intelligence analyst weighing in on another Reddit thread noted the attackers do not actually have your password. They are just abusing the official Microsoft recovery system. They are hoping you get confused and approve a prompt, or fall for a follow-up phishing text claiming your account is compromised. So basically, it relies on human error.

So, what should you do? Ignore the unexpected code.

Do not click anything in follow-up messages. If you are still using a basic password, change it. Turn on two-factor authentication if you have somehow avoided doing so. The barrage of emails is highly annoying. For now, your account remains safe as long as you keep those verification codes to yourself.

Featured image generated with AI

We stand out from the tech-media crowd because we break news stories; we mainly bring you stuff that you won’t find anywhere in the mainstream tech media. Our stories have been picked up by some of the world’s most popular websites and media outlets—more info is available here.