-
Hackers launched a password-spraying campaign generating 81 million login attempts against Microsoft 365 accounts, compromising 78 accounts across 64 organizations.
-
Attackers bypassed MFA by exploiting the ROPC authentication flow, which does not support modern authentication features, due to misconfigured Conditional Access Policies.
-
Organizations should take the necessary security measures to prevent similar attacks.
A huge password-spraying incident has hit Microsoft 365 accounts. Through the impact, criminals have attempted to log in in excess of 81 million times over 14 days.
The hacker had attempted to authenticate with the Azure command-line interface (CLI), using stolen credentials from previous breaches. After identifying valid credentials, they leveraged the ROPC flow to get past MFA protections. This happened because of insecure Conditional Access Policies that did not cover the specific authentication flow the attackers used.
Security company Huntress observed the campaign between June 12 and June 26. The intruders gained control of 78 accounts belonging to 64 different organizations. Although many companies had MFA turned on through Conditional Access Policies, their setups failed to secure the particular ROPC path the criminals abused.
ROPC transmits passwords straight to the token endpoint, skipping any MFA challenge. This makes it vulnerable to password attacks. Huntress identified several misconfigurations that allowed the attacks to succeed.
These included MFA applied only to specific applications rather than all cloud apps, MFA enforced only for selected user groups like administrators, MFA required only from trusted locations, and policies set to report-only mode which were never actually enforced. In some cases, organizations had no MFA policy at all.
How the Attack Worked
The attackers used Azure CLI to automate their login attempts. Azure CLI helps administrators manage cloud resources, virtual machines, and databases. The hackers exploited this tool to test stolen credentials at scale.
The ROPC authentication flow proved to be the weak point. There are no modern authentication options (like MFA) when using ROPC. It operates by simply sending the username and password to the token endpoint, without any other form of confirmation. If organizations did not block the ROPC flow with conditional access policies, they expose themselves to this form of access.
Huntress researchers noted that ROPC is problematic because it lacks MFA support. This means attackers can bypass MFA protections when administrators fail to secure this specific authentication path. The campaign demonstrated how even organizations with MFA enabled can remain exposed.
The password-spraying technique involves trying a small number of common passwords against many accounts – this approach avoids account lockouts because attackers do not repeatedly attempt the same account. The method remains effective despite being well-known.
Scale of the Attack
The attackers made 81 million login attempts over 14 days. According to the data from the researchers, there was an increase of more than 155 times with regard to normal password-spraying activity. Each tenant now has approximately 1,964 failed logins every month on average.
The malicious traffic traced back to an IPv6 block belonging to LSHIY LLC. Huntress reported the activity through the company’s abuse portal but received no response by the time of publication. The attackers still remain unidentified.
The number of attempts on this attack shows just how massive the amount of stolen credentials is on the internet. Attackers gain access to stolen passwords from previous data breaches and then use them on various services. Organizations that do not have strong authentication measures put themselves at risk.
The scale of available stolen credentials is underscored by a recent global breach that exposed 149 million passwords, fueling fears of widespread identity theft.
The compromised accounts included 78 across 64 organizations. This represents an extremely significant breach of corporate security. Once the hackers obtain access to an account in Microsoft 365, they will have access to all business-sensitive information, emails, and cloud resources.
How to Protect Against These Attacks
Organizations should review all their Conditional Access Policies immediately. The admins need to ensure MFA is applicable to cloud apps and not just selected ones. Policies must also cover all Authentication flows including ROPC.
Organizations have to enforce MFA on all User Groups, not only for administrators. This is because many attackers will go after these users as they may lack security measures compared to privileged users. Limiting MFA to certain users leaves the organization open for attacks.
Also, limiting MFA usage to trusted locations will provide additional vulnerability. Notably, attackers will use compromised systems from within trusted networks to bypass this protection. Organizations should enforce MFA regardless of the source location.
Policies configured in report-only mode provide no actual protection. These policies only generate logs without blocking attacks. Administrators must ensure that security policies are actively enforced.
Huntress recommends blocking the ROPC authentication flow entirely where possible. This prevents attackers from exploiting this vulnerable authentication method. Organizations should use modern authentication flows that support MFA.
The campaign highlights the importance of monitoring failed login attempts. An increase in failed logins often indicates an ongoing attack. Early detection allows organizations to respond before attackers succeed.