Skip to main content
Emerging ThreatsMalware & Ransomware

Hackers Exploit Microsoft 365 Flaws with 81 Million Login Attempts

Brightly-lit office setting with computers and network equipment in the background.

“An aggressive password-spraying campaign targeting Microsoft 365 environments generated more than 81 million login attempts over a two-week period.”

81 million login attempts: scope and timeline

Huntress observed an attack surge between June 12 and June 26 that totaled more than 81 million authentication attempts against Microsoft 365 accounts. The researchers confirmed the campaign resulted in the compromise of 78 Microsoft accounts across 64 different organizations. Overall activity reflected a dramatic uptick: Huntress reported a more than 155-fold increase in password-spraying attacks, and organizations are now averaging 1,964 failed login attempts per tenant each month.

Azure CLI authentication attempts and the use of leaked credentials

The threat actor targeted Microsoft’s Azure command-line interface (CLI) to attempt logins, using username and password combinations that remained valid after exposure in prior breaches. Microsoft’s Azure CLI, Huntress noted, is a management tool administrators commonly use to manage virtual machines, deploy applications, manage databases, and automate cloud operations — a set of capabilities that make it an attractive conduit for lateral movement if an account is taken over. Once a valid credential pair was discovered, the attacker authenticated via the ROPC (Resource Owner Password Credentials) OAuth mechanism.

ROPC OAuth flow and how MFA was bypassed

Huntress highlighted ROPC as central to why many of these logins succeeded despite organizations having multi-factor authentication (MFA) in place. “Many of the compromised businesses had implemented multi-factor authentication (MFA) via a Conditional Access Policy (CAP), but the MFA was not configured to cover this specific flow that attackers used,” the researchers explained. They added that “ROPC is considered problematic for several reasons, but one of those reasons is that it doesn't offer support for modern auth flows like MFA or SSO.” The report emphasizes that “ROPC sends the password straight to the /token endpoint with no interactive MFA prompt,” allowing attackers who supply a valid password to obtain tokens without triggering interactive second-factor verification.

Conditional Access misconfigurations Huntress identified

  • MFA applied only to specific applications, rather than configured for All Cloud Apps.
  • MFA enforced only for selected user groups (for example, administrators) while leaving other accounts unprotected.
  • MFA required only from untrusted locations, permitting traffic that appears to originate from trusted IPs.
  • Policies set in report-only mode, meaning the rules were never enforced.

Huntress also noted that in some impacted organizations there was no MFA policy at all. These specific misconfigurations allowed the ROPC flow to succeed in many environments despite the presence of Conditional Access policies nominally intended to protect accounts.

Impact on detection, response, and users

Detection gaps magnified the operational impact of the campaign. Huntress reported that security teams log 54% of successful attacks and alert on just 14%, citing findings presented in a Picus whitepaper included with the source material; the implication in the report is that a substantial portion of successful intrusions moves through environments without triggering actionable alerts. Huntress also disclosed that the activity was traced to an IPv6 range owned by LSHIY LLC (AS32167); the researchers said they disclosed their findings to LSHIY through the company’s abuse reporting portal but had not received a response by the time their report was published.

How technologists, affected enterprises, and end users are positioned

  • Technologists and security teams will be watching Conditional Access configurations and authentication flows closely: the campaign shows that MFA must be applied to the flows attackers can exploit — not only selected apps or groups. Huntress’s findings point directly to ROPC and Azure CLI authentication as specific flows to monitor or restrict.
  • Affected enterprises and IT leadership will face cleanup and review tasks: Huntress’s confirmed compromises (78 accounts at 64 organizations) underscore the need to inventory exposed credentials, validate Conditional Access coverage, and examine whether policies have been left in report-only mode.
  • End users and administrators should be aware that credential exposure in past breaches can still be weaponized via non-interactive OAuth flows; organizations with no MFA policy or narrowly scoped MFA are at elevated risk according to Huntress’s observations.

The campaign tracked by Huntress ties a brute-force, credential-based approach to a specific, non-interactive OAuth flow and exposes predictable misconfigurations in Conditional Access deployments. Huntress has shared indicators of the activity and reached out to the network owner for explanation, but the record published to date leaves open whether the IPv6 range will be remediated and how many organizations will adjust Conditional Access to cover the ROPC flow that enabled these intrusions.

Original report