Microsoft Authenticator spam notifications won't stop? Here's what actually fixed it

For months I was getting hammered with Microsoft Authenticator login prompts. Not one or two, but easily ten or more a day, always from places like Germany or the Netherlands, always labeled "Windows," and always at random times. At first it felt a bit concerning, then it just became incredibly annoying because I had to keep tapping Deny over and over again like some kind of human firewall.

My first assumption: compromised password

Naturally, I assumed the obvious: someone must have my password. So I changed it to something strong and completely new, logged out of all sessions, checked account activity, and generally did everything you're supposed to do when you think your account might be compromised. Everything looked clean, but the prompts kept coming as if nothing had changed.

Why password resets don't stop this attack

That's when it became clear that this wasn't a typical "someone got your password" situation. They don't actually need your password for this. All they need is your email address, and if that email is public (which mine is), they can keep triggering login attempts that push notifications to your Authenticator app. The whole idea is simple: spam enough requests and hope you eventually approve one by mistake, whether out of distraction or frustration.

Things I tried that didn't work

I went through all the usual fixes people suggest. I verified passwordless login was off. I removed and re-added Authenticator. I logged out of every session again just to be sure. I checked the sign-in logs, which turned out to be mostly useless because they only showed my successful logins and none of the garbage attempts coming from abroad. Nothing made a difference. The system was technically secure, but I was still being spammed constantly.

The fix that actually worked

What finally fixed it had nothing to do with passwords or Authenticator itself. I went into account settings, added a new email alias that nobody knows, made it the primary login, and removed (or at least disabled) my old email as a sign-in option.

The effect was immediate. The prompts stopped completely. No gradual decrease, no delay, just silence.

Why this works (and why the fix is so hidden)

The reason is pretty simple in hindsight. All those attempts were targeting my old, public email address. Once that email stopped being a valid login identifier, the attacker was effectively knocking on a door that no longer existed. The authentication process never even started, so there was nothing left to trigger on my phone.

Looking back, everything I tried before was focused on strengthening authentication, but the real problem was the entry point itself. As long as your public email is a valid login, someone can keep poking at it and triggering prompts, regardless of how strong your password is or whether passwordless is enabled.

Takeaway

So if you're dealing with the same thing, don't waste time cycling through password changes and app resets. The only thing that actually stopped it for me was changing the login alias to something private and removing the old one from sign-in. It's a small change, but it completely cuts off the attack vector.

It's also a bit frustrating that the system works this way, because instead of blocking the attacker upstream, it basically offloads the problem onto you and expects you to keep denying requests. But once you understand what's really being targeted, the fix becomes obvious — and thankfully, it works instantly.

Running into weird authentication or security issues? Send me your problem and I'll take a look.

• Security
• Microsoft