Skip to main content

A new trend is emerging in the cybersecurity landscape that’s catching even tech-savvy users off guard. Microsoft now allows users to sign into their accounts using only a phone number and an SMS verification code. No username or password is required.

While this feature may seem convenient, it introduces serious security risks that threat actors are already exploiting.

What’s the Risk with SMS Sign-ins?

Cybercriminals are leveraging this sign-in method to bypass traditional detection methods. Since the login doesn’t require a username or password, it often fails to generate the usual authentication logs. That means security systems and even IT teams may not recognize that anything suspicious is happening. All the victim sees is an unexpected MFA (multi-factor authentication) prompt, which they may mistakenly approve.

What You Should Watch For

If you receive an unsolicited MFA prompt, especially one tied to SMS verification, it could be a sign that someone is trying to access your account. These prompts often appear legitimate, but approving one without expecting it can hand over access to your sensitive information.

Best Practices to Protect Yourself and Your Organization

  • Ensure Multi-Factor Authentication (MFA) is enabled on your account.
  • Disable phone number-only sign-in for Microsoft accounts unless absolutely necessary. Consult your IT administrator or provider to review your authentication policies.
  • Use stronger MFA methods, such as authenticator apps or hardware tokens, which are more resistant to phishing and spoofing. Microsoft’s authenticator offers a feature called number matching which makes the app even stronger.
  • Enable logging and alerts for all authentication attempts, including SMS sign-ins. If you’re unsure how, your IT partner can help configure your environment for better visibility.
  • Educate your team about MFA fatigue attacks. These attacks involve repeated prompts that aim to trick users into clicking “Approve” out of habit or frustration.

What to Do If You Get a Suspicious SMS Sign-in Prompt

  • Do not approve it unless you’re actively logging in.
  • Report it immediately to your IT team or to GadellNet’s support team so we can investigate and take action.
  • Resetting your credentials is always a best practice if you get a suspicious sign-in prompt.

Securing Your Environment

The increased trend in MFA fatigue attacks are an indicator that cybercriminals are resilient and don’t give up easily.  When in doubt, always verify the legitimacy of sign-in prompts. 

Our cybersecurity team can review your MFA setup and ensure you’re protected against emerging threats.

Check out our related insights on Fake CAPTCHA Prompts, the Web Envy Scam, and Preventing ACH Fraud. If you have questions or concerns about your cybersecurity posture, contact GadellNet today.