Hackers target Microsoft 365 accounts with 81 million login attempts

A massive password-spraying campaign has targeted Microsoft 365 accounts with a staggering 81 million login attempts over just two weeks. The attack, which exploited valid username and password combinations exposed in past breaches, has left at least 78 businesses across 64 organizations compromised. The alarming numbers highlight the importance of robust security measures, particularly when it comes to conditional access policies and multi-factor authentication (MFA).

The attackers used Microsoft’s Azure command-line interface (CLI) to authenticate via the Resource Owner Password Credentials (ROPC) OAuth mechanism. This allowed them to bypass MFA in many environments due to insecure Conditional Access policies. Huntress, a managed cybersecurity company that observed the campaign, noted that many of the compromised businesses had implemented MFA, but it was not configured to cover this specific flow used by the attackers.

The use of ROPC is problematic for several reasons, one being its lack of support for modern authentication flows like MFA or single sign-on (SSO). This means that passwords are sent straight to the /token endpoint without an interactive MFA prompt. Huntress identified several misconfigurations that contributed to the attacks, including MFA applied only to specific applications, not all cloud apps; MFA enforced only for selected user groups; and policies configured in report-only mode, never actually being enforced.

The researchers also observed a significant increase in password-spraying attacks, with organizations averaging 1,964 failed login attempts per tenant each month. The campaign’s origin is unclear, but Huntress notes that the activity originates from an IPv6 range owned by LSHIY LLC (AS32167). Although the company was notified through its abuse reporting portal, no response has been received.

This attack serves as a stark reminder of the importance of robust security measures and regular testing. Organizations must ensure that their conditional access policies are properly configured to prevent similar attacks in the future. This includes implementing MFA for all cloud apps and user groups, not just administrators or those accessing from untrusted locations. By taking proactive steps to secure their environments, businesses can reduce the risk of falling victim to password-spraying campaigns like this one.

Ultimately, organizations must test every layer of their security infrastructure before attackers do. With many successful attacks going undetected, it’s crucial to regularly assess and improve security measures through breach and attack simulation tests. By doing so, organizations can strengthen their defenses and prevent similar incidents from occurring in the future.


Source: Bleeping Computer — 2026-07-01