Introduction
Your email account is more than just a communication tool—it’s the digital key to your personal and professional life. In particular, your Microsoft email security is critical, as it protects access to everything from financial records to calendar events, contacts, and cloud services like OneDrive. This guide walks you through four essential steps to secure your Microsoft email—simple actions that drastically reduce your risk of identity theft, financial loss, and privacy breaches.
Purpose
Your Microsoft email account holds a lot of personal information such as emails, contacts, calendar events, and access to other services like OneDrive. If a threat actor gains unauthorised access to your account, not only can they steal your private information, impersonate you, and also use it to reset the password/gain access to any other accounts using your email address such as Booking.com, Agoda, Uber, Facebook, LinkedIn, and Bank Accounts. This can cause financial and reputational damage.
Step 1: Update your recovery information
If you forget your password or if someone tries to take over your account, recovery information (like a phone number or alternate email) is essential to help you regain access. Without up-to-date recovery information, you might find it difficult to recover your account.
Why you need updated recovery details:
- If you ever get locked out of your account, Microsoft will send a recovery link to your backup email or phone number; this is why keeping it up to date is crucial.
- If you change your phone number or email, you’ll need to update this information to prevent being locked out.
- If using a phone number, ensure it is with a provider that does proper identity checks before porting your number to a new phone.
- If using another email address, ensure it has Multi-Factor Authentication (MFA) in place.
- You can use another mobile device and enable the application for MFA if you have one spare.
How to update your recovery information:
- Open your web browser (the app you use to go online, such as Chrome, Safari, or Edge).
- Type account.microsoft.com/security the address bar at the top and press Enter.
- Sign in to your account using your current password.
- Under Security info, click on the Update Info or Add a phone/email.
Figure 1: Visit account.microsoft.com/security to update your recovery phone or email
Step 2: Create a Strong Passphrase
A strong password is your first line of defence against threat actors. Weak passwords (like “123456” or “emailpassword”) are easily guessed, and they put your account at risk. Strong passwords/phrases are more difficult for threat actors to guess, reducing the chance of unauthorised access.
- Open your web browser (the app you use to go online, such as Chrome, Safari, or Edge).
- Type account.microsoft.com/security the address bar at the top and press Enter.
- Sign in to your account using your current password.
- After signing in, you’ll see an option for Change Password.
- Microsoft will ask you to enter your current password and then create a new, stronger one.
Step 3: Turn on Multifactor Authentication (MFA)
Multifactor Authentication (also called Two-Factor Authentication) adds an extra layer of security to your account. Even if someone manages to guess or steal your password (which often happens when a password is reused on multiple platforms), they will still need access to your phone or other email to log in. This greatly dramatically reduces the risk of your account being compromised.
Why you need MFA:
- If your password is compromised (through a data breach, or phishing) MFA will ensures that a hacker cannot easily access your account without the additional verification code.
- The second verification step is usually sent to your phone or another email (either by SMS, a special app, or a notification). Itf is highly recommended to use a special app like Microsoft Authenticator as another email is subject to the same risk of unauthorised access, and SMS also has increased risk if your number is known to the threat actor.
How to set up Multifactor Authentication:
- Open your web browser (the app you use to go online, such as Chrome, Safari, or Edge).
- Type account.microsoft.com/security the address bar at the top and press Enter.
- Sign in to your account using your current password.
- Click on “Manage how I sign in”.
Turn on MFA by selection Two-step verification and following the prompts.
- You will see these two prompts, click Next.
- You will see these two prompts, click Next.
- In the Authentication application app click the QR code on the bottom right.
- In the Authentication application app click the QR code on the bottom right.
You will then be prompted to enter a code to confirm the device is synchronized.
- Following this your MFA device is now ready to go.
- Following this your MFA device is now ready to go.
Remember: After you set up MFA, make sure to store your backup codes somewhere safe. These are codes you can use in case you loose access to your phone or email. This is especially important in areas where phone snatching is a common occurrence. If there were previously codes generated that have been lost at the bottom of the “Manage how I sign in” page there is an option to generate new ones.
Step 4: Set Up and Email Alias
An email alias is like a second email address that you can use to log into your Microsoft account. By having a different login even if a threat actor knows the primary email address you use to send and receive emails or sign up for services, it cannot be used to login to Microsoft. Only the alias can be used to login, this provides an extra layer of protection (ensure you only use the alias for logging in, this is to maintain its secrecy).
Why you need an alias:
If your main email is leaked or compromised in a data breach, your alias remains secure.
How to set up an email alias:
- Open your web browser (the app you use to go online, such as Chrome, Safari, or Edge).
- Type account.microsoft.com/profile the address bar at the top and press Enter.
- Sign in to your account using your current password.
- Scroll down to Account Info and select Sign-in preferences
- Then select Add email
- You can then enter in a new email address that will be only used for logging into the account.
- You can open a private browsing window and attempt to login to your email account using your new email address.
- Next under Sign-in preferences click Change the sign in preferences so the old account cannot be used. Be advised this may cause currently signed in devices to require you to log in again with the new email address.
- Unselect your old email address, this means only the new alias can be used to log in. You can still send and receive emails from the old email address.
Conclusion
By following these steps, you’re significantly strengthening the security of your Microsoft account. You’re making it much harder for anyone to access your account without your permission, even if they manage to guess your password. Remember to keep your password safe, strong, and avoid reuse, enable Multifactor/Two-Step verification wherever possible, and regularly check accounts for suspicious activity.
Ready to Lock Down Your Microsoft Accounts?
Threat actors move fast—and compromised credentials are still one of the top causes of breaches. If you’re not sure whether your organization’s identity security measures are enough, now is the time to act.
At THEOS Cyber, we work closely with Microsoft as a trusted technology partner to help organizations across APAC harden their Microsoft 365 environments, close account takeover gaps, and implement robust identity protection strategies—fast.
- Book a security readiness check
- Get tailored guidance on MFA, recovery setup, and email hygiene
- Empower your team to spot and stop account-based attacks
Contact THEOS Cyber today and let’s secure what matters—with Microsoft technology and THEOS expertise.
