Microsoft Confirms New And Widespread 2FA Code Attacks Ongoing

April 9, 2026
business
Close-up of hand unlocking a smartphone next to a cup of tea on a wooden table, emphasizing technology and security.
Photo by Jakub Zerdzicki on Pexels

What’s happening?

It has been reported that Microsoft has confirmed a new, widespread campaign in which attackers are stealing two‑factor authentication (2FA) codes to break into accounts. The reports surfaced on Reddit’s r/technology and quickly spread across other forums and social media, painting a picture of targeted phishing and social‑engineering attempts that specifically ask victims to hand over one‑time codes. Details remain thin in places, and Microsoft’s public statements appear aimed at calming users while the company investigates.

How are accounts being compromised?

Allegedly, attackers are using a variety of tricks — convincing users to paste codes into malicious sites or intercepting SMS and app‑delivered codes via man‑in‑the‑middle tactics. That’s the sickening part: the layer people rely on as a last line of defense is being stripped away by social craft and technical shortcuts. Is this a failure of users or of the tools? The consensus among security pros is: both. SMS codes are increasingly fragile, and phishing pages that mimic login flows are getting better every month.

What Microsoft and experts are advising

It has been reported that Microsoft is urging users to adopt stronger authentication methods where possible: move to app‑based authenticators, enable passwordless sign‑ins like Windows Hello, or use hardware security keys that implement FIDO2 standards. Security researchers are echoing that advice: treat SMS 2FA as better than nothing, not silver bullet protection. If you’ve received unsolicited prompts for codes — don’t paste them anywhere. Period.

The human angle

For users, the emotional sting is real. You set up 2FA to sleep easier at night, and then — boom — someone talks you out of a code and your digital life is suddenly footloose. It’s a reminder that security is as much psychology as it is cryptography. Companies and regulators will need to lean harder on stronger, phishing‑resistant options if we want accounts to stay where they belong: with their rightful owners.

Sources: reddit