Secure Your Microsoft 365 Account and Keep Hackers at Bay by Doing These 5 Things

If the US government can get hacked, so can you. Here are five things you can do right now to protect your Microsoft account.

Alison DeNisco Rayome Managing Editor
Managing Editor Alison DeNisco Rayome joined CNET in 2019, and is a member of the Home team. She is a co-lead of the CNET Tips and We Do the Math series, and manages the Home Tips series, testing out new hacks for cooking, cleaning and tinkering with all of the gadgets and appliances in your house. Alison was previously an editor at TechRepublic.
Expertise Home Tips, including cooking, cleaning and appliances hacks Credentials
  • National Silver Azbee Award for Impact/Investigative Journalism; National Gold Azbee Award for Online Single Topic Coverage by a Team; National Bronze Azbee Award for Web Feature Series
Alison DeNisco Rayome
4 min read

Keep hackers out of your Microsoft 365 account with these tips.

Thomas Trutschel/Getty Images

Late in 2020, news broke that foreign hackers had been for months secretly monitoring the email accounts and communications of US government officials in charge of identifying foreign threats to national security. In the now-infamous SolarWinds hack, the attackers executed their intrusion via malicious code in the SolarWinds Orion software system, which helped them breach high-level government officials' Microsoft Office 365 accounts. 

As the news broke, Microsoft released guidance for how organizations can bolster their security practices and guard against these attacks, and said that it had not identified any Microsoft product vulnerabilities

There isn't much you can do about vulnerabilities like what we saw with SolarWinds. But if you get your work or personal email through Outlook on Microsoft 365, there are ways to better secure your individual account and avoid hacks. (If you use Windows 10, there are also several security defaults that you can change to better protect your device -- many of which are also available in Windows 11.) 

Here are five ways to lock down your Microsoft account. 

Read more: How to Get Microsoft 365 for Free 

1. Set up multifactor authentication

Multifactor authentication is the best way to protect yourself from someone stealing your login credentials, according to the US Cybersecurity and Infrastructure Security Agency. Basically, it adds an extra layer of security to your account sign-in -- for example, you enter your password along with a verification code sent to your phone or provided by an authenticator app. 

To set up multifactor authentication (also called two-step verification), go to the security basics page, and sign in with your Microsoft account. Select More security options. Under Two-step verification, choose Set up two-step verification to turn it on and get further instructions. 

To set it up on a work Microsoft 365 account, your administrator will have to enable it. Once that's done, when you sign in with your username and password, you'll be prompted for more information. Click Next

The default authentication method is to use the free Microsoft Authenticator app, which you can download on your mobile device. This app gives you a unique code to enter that expires after a certain amount of time. 

Or, if you'd rather get a code through SMS message, you can choose "I want to set up a different method." Microsoft will ask for your mobile number, and send you a text with a six-digit code to verify your account. 

Read more: The Best Antivirus Protection for Windows 10

2. Protect your password

Never use the same password for multiple accounts. There are lots of great password managers available to help you keep track of all your passwords, including the free LastPass. You should also choose a strong password -- one that avoids using common words and is at least eight characters long. Check out our other recommendations for choosing a strong password here.


Using a password manager is an easy way to make sure your accounts stay safe. 

Angela Lang/CNET

3. Avoid phishing scams

If you get an email about the security of your Microsoft account, it could be a phishing scam -- a type of attack where hackers impersonate a company or someone you know to trick you into revealing personal information like passwords or credit card numbers. These emails often include a link to a malicious website, which you should never click. 

The best way to avoid these emails is to know how to spot them -- they might have misspelled words, be from a slightly misspelled source (like microsoftsupport.ru or micros0ft.com) or include an urgent call to take action or avoid a threat. If anything looks suspicious, just delete it, or report it by forwarding it to the Anti-Phishing Working Group at phishing-report@us-cert.gov. 

4. Protect your apps

On your phone or desktop, only install and run apps from legitimate sources, like the app store for your device. If you're using Microsoft 365, using Microsoft apps to access those accounts is the most secure choice, according to the company. You should also make sure all apps as well as your operating system are up to date -- many updates you get are security fixes, so be sure to install them quickly. 

5. Make it easy to recover your account

You can set up your account to make it easy to recover in case all else fails and you do get hacked. To do that, go to the Microsoft security basics page, and add in all the information, like your email address and phone number. Make sure you keep this information up to date to keep your account safer. 

For more, check out our security tips if you're still running Windows 7how to download Windows 10 free and how to download Windows 11 free

Watch this: Windows 11: Hands-on with an early build