Updated
Updated · Computerworld · Jul 3
Password Spray Attack Hits Microsoft 365 Users, Compromising at Least 78 Accounts After 81 Million Attempts
Updated
Updated · Computerworld · Jul 3

Password Spray Attack Hits Microsoft 365 Users, Compromising at Least 78 Accounts After 81 Million Attempts

2 articles · Updated · Computerworld · Jul 3

Summary

  • Huntress said attackers made 81 million login attempts against its Microsoft-linked customers from June 12 to 26 and breached at least 78 accounts, suggesting the wider toll could be higher.
  • The campaign worked by replaying valid credentials through Microsoft’s OAuth ROPC flow, which issued user tokens when MFA settings failed to cover the login methods the attackers used.
  • MFA gaps included policies limited to specific apps such as Microsoft Admin Portals or to select groups like admins, leaving Azure CLI logins and many non-admin users outside protection.
  • A sudden spike hit on June 22, affecting 30 Huntress customers, and all traffic was traced to one IPv6 range tied to LSHIY LLC, which Huntress said has since cut off the customer involved.

Insights

If attackers can steal tokens from security portals, is any account truly safe from MFA bypass?
The attack source is now blocked, but who was the actor behind it and where will they strike next?
Why do cloud platforms still enable legacy protocols that easily bypass multi-factor authentication?