An aggressive password-spraying campaign against Microsoft 365 produced more than 81 million login attempts in two weeks and compromised 78 Microsoft accounts across 64 organizations. The attacker used valid credentials exposed in past breaches to abuse Azure CLI and the ROPC flow, bypassing MFA where Conditional Access policies were misconfigured. #Microsoft365 #AzureCLI #ROPC #Huntress #LSHIY
Keypoints
- The campaign generated over 81 million login attempts in two weeks.
- Attackers used stolen username and password pairs from previous breaches.
- Azure CLI and the ROPC OAuth flow were used to authenticate successfully.
- Huntress confirmed 78 compromised Microsoft accounts across 64 organizations.
- Misconfigured Conditional Access policies allowed MFA to be bypassed in many cases.