A focused password-spraying campaign targeting Microsoft 365 environments generated more than 81 million login attempts over a two-week window, according to research published by managed security provider Huntress. The activity, observed between June 12 and 26, resulted in 78 confirmed account compromises across 64 organizations.
How the Attack Worked
The threat actor authenticated through Microsoft’s Azure command-line interface (CLI) using credential pairs harvested from prior data breaches. Once a valid username-and-password combination was identified, the attacker used the Resource Owner Password Credentials (ROPC) OAuth flow to obtain tokens. ROPC is a legacy authentication mechanism that transmits credentials directly to the /token endpoint without triggering an interactive multi-factor authentication (MFA) prompt.
Because ROPC does not support modern authentication flows such as MFA or single sign-on, organizations that had deployed MFA via Conditional Access Policies (CAPs) were still exposed if those policies did not explicitly block or cover the ROPC flow.
Conditional Access Misconfigurations
Huntress identified several recurring policy gaps in affected tenants:
- MFA applied only to specific applications rather than all cloud apps.
- MFA enforced only for privileged or administrator accounts, not all users.
- MFA required only from untrusted network locations, leaving trusted IP ranges unprotected.
- Conditional Access Policies left in report-only mode, meaning they logged but never enforced controls.
- Some impacted organizations had no MFA policy in place at all.
Scale and Attribution
Beyond this specific campaign, Huntress noted a broader trend: password-spraying attacks have increased more than 155-fold, with organizations averaging roughly 1,964 failed login attempts per tenant each month.
The attack traffic originates from an IPv6 range attributed to LSHIY LLC (AS32167). Huntress disclosed its findings to the provider through its abuse reporting portal but had not received a response before publishing. The identity of the threat actor behind the campaign remains unknown.
Recommendations
Security teams should audit Conditional Access Policies to ensure MFA coverage extends to all cloud applications and all user accounts, not just administrative roles or specific apps. Policies should also be verified as active rather than left in report-only mode. Blocking or strictly limiting legacy authentication flows such as ROPC is a high-priority control given how reliably they circumvent MFA enforcement.
