If you get an email from Microsoft account team and the email address domain is @accountprotection.microsoft.com, it is safe to trust the message and open it.
Microsoft uses this domain to send email notifications about your Microsoft account. These notifications can include security codes for two-step verification and account update information, such as password changes.
You can check the validity of the email by inspecting the following areas:
Check the email address contains the domain @accountprotection.microsoft.com. You can also view the email's message headers to be sure the email is from Microsoft.
Check the account the email is hinting to belongs to you, and that you have requested the code.
Note: If you received a Microsoft verification code that you did not request, it could be because: someone is trying to access your account or someone accidentally entered the wrong phone/email when trying to sign in. Learn more about unrequested verification codes.