[fl0ki]

Check if you have an old email or phone number tied to the account. Attackers can get Microsoft to send one-time codes to them, no matter what else you have set up on the account. Worse, it seems this feature was added some time ago and every account was automatically opted into it.

I was getting dozens of one-time code emails per day caused by login attempts via what must have been Tor. None of them were successful logins, but it got me worried. They seem to have stopped after I reworked my account's requirements to include OTP, but now every couple of days my Skype app posts an error that it couldn't log in, when it is clearly logged in just fine. Even that OTP can't be a standard one, it has to be Microsoft authenticator.

Microsoft has been improving in a lot of ways lately but this is not just embarrassingly bad, it's substantially worse than it was a few years ago.