Microsoft-Rewards-Bot/docs/security.md

🔒 Security Guide

Protect your accounts and handle security incidents

---

⚠️ Important Disclaimer

Using automation violates Microsoft's Terms of Service.

Your accounts may be banned. Use at your own risk.

---

🛡️ Best Practices

✅ DO

• Enable humanization — Natural behavior reduces detection
• Use 2FA/TOTP — More secure authentication
• Run 1-2x daily max — Don't be greedy
• Test on secondary accounts — Never risk your main account
• Enable vacation mode — Random off days look natural
• Monitor regularly — Check diagnostics and logs

❌ DON'T

• Run on main account — Too risky
• Schedule hourly — Obvious bot pattern
• Ignore warnings — Security alerts matter
• Use shared proxies — Higher detection risk
• Skip humanization — Robotic behavior gets caught

---

🚨 Security Incidents

Recovery Email Mismatch

What: Login shows unfamiliar recovery email (e.g., ko*****@hacker.net)

Action:

1. Stop immediately — Script halts automatically
2. Check Microsoft Account → Security settings
3. Update config if you changed email yourself:

   {
     "recoveryEmail": "ko*****@hacker.net"
   }
   

4. Change password if compromise suspected

---

"We Can't Sign You In" (Blocked)

What: Microsoft blocks login attempt

Action:

1. Wait 24-48 hours — Temporary locks usually lift
2. Complete any challenges — SMS, authenticator, etc.
3. Reduce frequency — Run less often
4. Enable humanization — If not already enabled
5. Check proxy — Ensure consistent IP/location

---

🔐 Account Security

Strong Credentials

{
  "accounts": [
    {
      "email": "your@email.com",
      "password": "strong-unique-password",
      "totp": "JBSWY3DPEHPK3PXP"
    }
  ]
}

• ✅ Unique passwords per account
• ✅ TOTP enabled for all accounts (see below)
• ✅ Strong passwords (16+ characters)
• 🔄 Rotate every 90 days

How to enable TOTP:

• Go to https://account.live.com/proofs/Manage/additional and turn on two-step verification.
• Choose "Set up a different authenticator app", then click "I can't scan the bar code" to reveal the Base32 secret.
• Scan the QR with an authenticator you control (Google Authenticator recommended) and copy the secret into totp.
• Enter the app-generated code once to finish pairing. The same secret powers both your app and the bot.

File Permissions

# Linux/macOS - Restrict access
chmod 600 src/accounts.json

# Windows - Right-click → Properties → Security
# Remove all users except yourself

---

🌐 Network Security

Use Proxies (Optional)

{
  "proxy": {
    "proxyAxios": true,
    "url": "proxy.example.com",
    "port": 8080,
    "username": "user",
    "password": "pass"
  }
}

Benefits:

• IP masking
• Geographic flexibility
• Reduces pattern detection

→ Full Proxy Guide

---

📊 Monitoring

Enable Diagnostics

{
  "diagnostics": {
    "enabled": true,
    "saveScreenshot": true,
    "saveHtml": true
  }
}

→ Diagnostics Guide

Enable Notifications

{
  "conclusionWebhook": {
    "enabled": true,
    "url": "https://discord.com/api/webhooks/..."
  }
}

→ Webhook Setup

---

🛠️ Incident Response

Account Compromised

1. Stop all automation
2. Change password immediately
3. Check sign-in activity in Microsoft Account
4. Enable 2FA if not already
5. Review security info (recovery email, phone)
6. Contact Microsoft if unauthorized access

Temporary Ban

1. Pause automation for 48-72 hours
2. Reduce frequency when resuming
3. Increase delays in humanization
4. Use proxy from your region
5. Monitor closely after resuming

---

🔗 Privacy Tips

• 🔐 Local-only — All data stays on your machine
• 🚫 No telemetry — Script doesn't phone home
• 📁 File security — Restrict permissions
• 🔄 Regular backups — Keep config backups
• 🗑️ Clean logs — Delete old diagnostics

---

📚 Next Steps

Setup humanization?
→ Humanization Guide

Need proxies?
→ Proxy Guide

Want monitoring?
→ Diagnostics

---

← Back to Hub | Config Guide