> Back to All Posts

Microsoft 365 Password Spraying Attack Hits 78 Accounts

Microsoft 365 password spraying attack

A large-scale password spraying attack has hit Microsoft 365 accounts across dozens of organizations, generating more than 81 million login attempts in just two weeks. Security researchers at Huntress tracked the campaign between June 12 and June 26, and confirmed that attackers successfully compromised 78 accounts spanning 64 organizations.

What makes this campaign stand out isn’t just its scale. The attackers found a way to slip past multi-factor authentication in environments that technically had it turned on, exposing a gap that many IT teams don’t even know exists.

How the Password Spraying Attack Worked

The attackers relied on credentials leaked in previous data breaches, testing username and password combinations against Microsoft’s Azure command-line interface. Azure CLI gives administrators a way to manage cloud resources, deploy applications, and automate operations, which makes it a valuable target when a working login is found.

Once a valid credential pair surfaced, the attacker moved to authenticate using ROPC, short for Resource Owner Password Credentials. This OAuth mechanism sends a username and password straight to Microsoft’s token endpoint. Because ROPC doesn’t support modern authentication flows like MFA or single sign-on, it created a direct path into accounts that appeared otherwise protected.

This is where the password spraying attack became genuinely dangerous. Organizations believed their Conditional Access Policies covered them, but many of those policies were never built to catch this specific authentication path.

Why MFA Didn’t Stop the Attackers

Huntress identified several recurring misconfigurations across the affected organizations. In many cases, MFA was applied only to specific applications instead of being enforced across all cloud apps. Some policies only required MFA for particular user groups, such as administrators, leaving regular employee accounts wide open.

Other organizations restricted MFA enforcement to logins from untrusted locations, but attackers routed traffic through IP addresses that appeared to originate from trusted networks. A handful of policies were still sitting in report-only mode, meaning they logged suspicious activity without ever blocking it. And in some of the worst cases, there was no MFA policy in place at all.

Each of these gaps looks small on its own. Together, they gave the attackers behind this Microsoft 365 password spraying attack an opening that a properly configured Conditional Access Policy would have closed.

The Scale of the Campaign

The numbers behind this campaign are striking. Huntress recorded a 155-fold increase in password spraying activity compared to previous monitoring periods, with affected organizations now averaging 1,964 failed login attempts per tenant every month.

That kind of volume points to automation rather than manual effort. Attackers can cycle through millions of leaked credential pairs in a short window, betting that a small percentage will still work because employees reuse passwords across services. Even a low success rate produces real results when the attempt count reaches into the tens of millions.

Who Is Behind the Campaign

Attribution remains unclear. Huntress traced the malicious traffic to an IPv6 range owned by LSHIY LLC, registered under autonomous system number AS32167. Researchers reported the activity through the company’s abuse portal, but had not received a response by the time their findings went public.

Without a confirmed threat actor, organizations can’t rely on threat intelligence tied to a specific group. Instead, the priority shifts toward closing the technical gaps that made this campaign possible in the first place.

Protecting Against a Microsoft 365 Password Spraying Attack

IT teams can take a few concrete steps to reduce exposure. Conditional Access Policies should apply to all cloud applications, not just a select few, so no login path gets overlooked. Blocking or restricting legacy authentication protocols like ROPC removes one of the easiest routes attackers have for bypassing MFA entirely.

Report-only policies need regular review, since a policy that only logs activity offers no real protection. Location-based MFA rules also deserve scrutiny, because attackers can spoof or route around geographic restrictions with relative ease.

Finally, password hygiene still matters. Encouraging unique, non-reused passwords and monitoring for credentials that show up in known breach data can prevent attackers from ever finding a working login in the first place.

Final Thoughts

This campaign is a reminder that having MFA enabled doesn’t automatically mean an organization is protected. Gaps in how Conditional Access Policies get configured can leave the door open, even when security teams believe they’ve covered every angle. With password spraying attacks against Microsoft 365 accounts climbing sharply, reviewing authentication policies for outdated protocols like ROPC has become a genuine priority rather than a routine checkup.

Organizations that treat MFA as a single setting rather than a fully configured system are the ones most likely to end up on the wrong side of the next campaign.

Janet Andersen

Janet is an experienced content creator with a strong focus on cybersecurity and online privacy. With extensive experience in the field, she’s passionate about crafting in-depth reviews and guides that help readers make informed decisions about digital security tools. When she’s not managing the site, she loves staying on top of the latest trends in the digital world.