New
#1
What was the security used? It can be another account thats hacked often they send a message via email so if thats used and they have your email password thaty can chage MS password
I'm curios. Go here and copy your IP address. Now go here and paste your IP address in the search box and see if you have any open ports. If so let me know what router or modem you're using. DO NOT share your IP address.
If Shodan doesn't show anything try here as well.
You can roll 2FA with the free and open source Aegis App for Android. It may be coded for iOS as well. Not sure. For desktop I use the Keepass password manager with the KeepassOTP plug-in. Or if you're not very computer inclined you can use a paid version of Bitwarden which is $10/year. Bitwarden is free as well, but you don't get 2FA.