Like the title says, I’ve got yesterday an email with a code to access my Microsoft account and that made me suspicious because I wasn’t trying to login to my account. When I looked at the login attempts I saw that someone else was trying to access my account, I changed my password, activated TFA. Thinking of going through and buying a physical key like yubico to further secure my account. Any tips are appreciated.
What you need to realize is that for Microsoft, these attacks are constant. They deal with them basically 24/7/365. The target might change, but the attacks never stop.
Between Hotmail, Outlook, and exchange online (365) they’re handling a large number of attacks per second all the time.
If they started to inform you about it, they would easily triple the emails they’re handling due to all the failure messages.
This is nothing new to them, it’s been going on since long before you noticed. Any MFA will effectively stop any attacker in their tracks. Make sure you have changed your password since you got that code sent to you, since that usually indicates a successful password breach.
Yubikeys are a good idea but you should always have a backup, so if you can afford it, buy two. One to carry, one to use. The downside is that each needs to be enrolled separately to each service that they’re used for. It’s not an issue to have multiple keys associated to the account, so that would be my recommendation.
I have a yubikey for work, and I use TOTP as a backup, and personally, I have a pair of Google Titan security keys. One to carry and one to stay at home.