Hackers target Microsoft 365 accounts with 81 million login attempts

Jul 01, 2026 - 22:20
0 0
Hackers target Microsoft 365 accounts with 81 million login attempts

Hackers target Microsoft 365 accounts with 81 million login attempts

An aggressive password-spraying campaign targeting Microsoft 365 environments generated more than 81 million login attempts over a two-week period.

The threat actor tried to authenticate via Microsoft's Azure command-line interface (CLI) using still valid username and password combinations that had been exposed in past breaches.

Microsoft's Azure CLI is used for managing Azure cloud resources, enabling administrators to manage virtual machines, deploy applications, manage databases, and automate cloud operations.

image

Once a valid pair was found, the hacker authenticated via the ROPC (Resource Owner Password Credentials) OAuth mechanism, bypassing multi-factor authentication (MFA) in many environments due to insecure Conditional Access policies.

Managed cybersecurity company Huntress observed the campaign targeting its customers between June 12 and 26 and confirmed that the threat actor compromised 78 Microsoft accounts across 64 organizations.

Activity peak on June 22Activity peak on June 22
Source: Huntress

“Many of the compromised businesses had implemented multi-factor authentication (MFA) via a Conditional Access Policy (CAP), but the MFA was not configured to cover this specific flow that attackers used,” Huntress explains.

“ROPC is considered problematic for several reasons, but one of those reasons is that it doesn't offer support for modern auth flows like MFA or SSO.”

“That means, as we saw in this campaign, ROPC sends the password straight to the /token endpoint with no interactive MFA prompt.”

Specific misconfigurations highlighted by Huntress include:

  • MFA was applied only to specific applications, not to All Cloud Apps.
  • MFA is enforced only for selected user groups, such as administrators.
  • MFA required only from untrusted locations, allowing traffic from IPs that appear to originate from trusted locations.
  • Policies configured in report-only mode, meaning they were never enforced.

In some cases where organizations were impacted, the researchers say there was no MFA policy at all.

Weaknesses on impacted orgsWeaknesses on impacted orgs
Source: Huntress

Overall, Huntress observed a more than 155-fold increase in password-spraying attacks, with organizations now averaging 1,964 failed login attempts per tenant each month.

It is unclear who is behind the latest campaign, but Huntress notes that the activity originates from an IPv6 range owned by LSHIY LLC (AS32167).

The researchers disclosed their findings to LSHIY through the company's abuse reporting portal, but had not received a response by the time their report was published.

article image

Test every layer before attackers do

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Get the whitepaper

What's Your Reaction?

Like Like 0
Dislike Dislike 0
Love Love 0
Funny Funny 0
Wow Wow 0
Sad Sad 0
Angry Angry 0

Comments (0)

User