- Password spray attack successfully breached Microsoft 365 accounts
- Hackers have abused misconfigured conditional access policies to bypass MFA.
- Many targeted organizations had not implemented MFA
Hackers used previously leaked credentials to target Microsoft 365 accounts in a password spraying attack that resulted in more than 81 million login attempts over a two-week period.
The attackers then abused poorly implemented conditional access policies in the Resource Owner Credentials (ROPC) OAuth mechanism using the Azure command line interface (CLI), allowing attackers to completely bypass authentication when a matching username and password were discovered.
Cybersecurity firm Huntress observed the attack campaign as it targeted customers and noted that 78 Microsoft accounts across 64 organizations were compromised between June 12 and 26, 2026.
Hackers access 365 accounts without authentication
The success of the attack ultimately depends on how organizations have implemented conditional access policies related to multi-factor authentication.
“Many compromised companies had implemented multi-factor authentication (MFA) via a conditional access policy (CAP), but the MFA was not configured to cover this specific flow used by the attackers,” Huntress explained, referring to ROPC exploitation.
“ROPC is considered problematic for several reasons, but one of those reasons is that it does not offer support for modern authentication flows like MFA or SSO. This means, as we saw in this campaign, ROPC sends the password directly to the /token endpoint without an interactive MFA prompt.”
Several of the organizations that were breached did not enforce an MFA policy at all, while others only enforce MFA on specific user groups such as administrators. In other cases, a connection attempt required MFA only when the traffic came from an untrusted location, meaning that MFA was not enforced if the connection came from a trusted IP address. Additionally, some organizations had only applied MFA in a reporting mode only, meaning that MFA policies were never actually applied.
To protect against attacks of this type, Huntress has recommended the following mitigation measures:
- Organizations should implement MFA for all users, all cloud applications, and all types of client applications.
- Use of the Azure CLI application should be restricted to non-admin users.
- The attack response should be based on the validity of credentials, rather than spray volume.
Via BeepComputer
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
































