Skip to content

Microsoft 365: Massive Password-Spray Attack Against Millions of Accounts

The Point: MFA configuration gaps in Microsoft 365 deployments enabled attackers to compromise at least 78 accounts with 81 million login attempts.

Unknown attackers conducted an automated password-spray attack against Microsoft 365 users between June 12 and 26, achieving at least 78 successful account compromises. Security firm Huntress documented 81 million login attempts that originated from a single IPv6 address range of an Internet service provider.

The attack originated from an IPv6 address range belonging to Internet service provider LSHIY LLC. Huntress observed an uptick in spray activity starting June 12, peaking on June 22, when 30 Huntress customers were affected. The provider subsequently prohibited its customers from using these IP addresses.

The attackers exploited the OAuth ROPC (Resource Owner Password Credentials) method to directly generate new tokens at the /token endpoint using stolen user credentials. In many cases, this bypassed implemented multi-factor authentication (MFA) because MFA was not configured for all cloud applications. Typical gaps: MFA was enabled only for specific applications such as Microsoft Admin Portals, but not for Azure CLI logins. In other cases, MFA enforcement applied only to specific user groups such as administrators, while the compromised accounts fell outside these groups.

For CISOs, this represents a critical configuration gap: MFA policies must cover all cloud apps without exception and must not be restricted to individual user groups only. The extent of actual damage across all Microsoft 365 customers remains unknown, as password-spray attacks typically test many accounts indiscriminately.


Source: www.csoonline.com · Published July 3, 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.2.

Share on: