81 million login attempts have hit Microsoft 365 accounts as hackers attempt to password-spray to force entry using stolen credentials and OAuth to bypass authentication.

81 million login attempts have hit Microsoft 365 accounts as hackers attempt to password-spray to force entry using stolen credentials and OAuth to bypass authentication.

Microsoft 365
(Image credit: Microsoft)

  • Password spray attack successfully breached Microsoft 365 accounts
  • Hackers have abused misconfigured conditional access policies to bypass MFA.
  • Many targeted organizations had not implemented MFA

Hackers used previously leaked credentials to target Microsoft 365 accounts in a password spraying attack that resulted in more than 81 million login attempts over a two-week period.

The attackers then abused poorly implemented conditional access policies in the Resource Owner Credentials (ROPC) OAuth mechanism using the Azure command line interface (CLI), allowing attackers to completely bypass authentication when a matching username and password were discovered.

Cybersecurity firm Huntress observed the attack campaign as it targeted customers and noted that 78 Microsoft accounts across 64 organizations were compromised between June 12 and 26, 2026.

Hackers access 365 accounts without authentication

The success of the attack ultimately depends on how organizations have implemented conditional access policies related to multi-factor authentication.

“Many compromised companies had implemented multi-factor authentication (MFA) via a conditional access policy (CAP), but the MFA was not configured to cover this specific flow used by the attackers,” Huntress explained, referring to ROPC exploitation.

“ROPC is considered problematic for several reasons, but one of those reasons is that it does not offer support for modern authentication flows like MFA or SSO. This means, as we saw in this campaign, ROPC sends the password directly to the /token endpoint without an interactive MFA prompt.”

Several of the organizations that were breached did not enforce an MFA policy at all, while others only enforce MFA on specific user groups such as administrators. In other cases, a connection attempt required MFA only when the traffic came from an untrusted location, meaning that MFA was not enforced if the connection came from a trusted IP address. Additionally, some organizations had only applied MFA in a reporting mode only, meaning that MFA policies were never actually applied.

Sign up for the TechRadar Pro newsletter to get all the top news, opinions, features and tips your business needs to succeed!

To protect against attacks of this type, Huntress has recommended the following mitigation measures:

  • Organizations should implement MFA for all users, all cloud applications, and all types of client applications.
  • Use of the Azure CLI application should be restricted to non-admin users.
  • The attack response should be based on the validity of credentials, rather than spray volume.

Via BeepComputer


Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.


Benedict is a senior security editor at TechRadar Pro, where he specializes in covering the intersection of geopolitics, cyber warfare and enterprise security.

Benedict provides in-depth analysis of state-sponsored threat actors, APT groups, and critical national infrastructure protection, his reports bridging the gap between technical threat intelligence and B2B security strategy.

Benedict holds a Masters (Distinction) in Security, Intelligence and Diplomacy from the University of Buckingham Center for Security and Intelligence Studies (BUCSIS), his specialization providing him with a strong academic framework for deconstructing complex international conflicts and intelligence operations, as well as the ability to translate complex security data into actionable insights.

Exit mobile version