- Password spraying attack successfully breached Microsoft 365 accounts
- Hackers abused incorrectly configured conditional access policies to bypass MFA
- Many target organizations had not implemented AMF
Hackers used previously leaked credentials to attack Microsoft 365 accounts in a password spraying attack that resulted in more than 81 million login attempts over a two-week period.
Attackers then abused incorrectly implemented conditional access policies within the Resource Owner Password Credentials (ROPC) OAuth mechanism using the Azure Command Line Interface (CLI), allowing hackers to bypass authentication entirely when a matching username and password were discovered.
Cybersecurity company Huntress observed the attack campaign targeting customers and noted that 78 Microsoft accounts across 64 organizations were compromised between June 12 and June 26, 2026.
Hackers access 365 accounts without authentication
Ultimately, the success of the attack came down to how well organizations had implemented conditional access policies related to multi-factor authentication.
“Many of the compromised companies had implemented multi-factor authentication (MFA) through a Conditional Access Policy (CAP), but MFA was not configured to cover this specific flow that the attackers used,” Huntress explained, referring to the ROPC exploitation.
“ROPC is considered problematic for several reasons, but one of them is that it does not offer support for modern authentication flows like MFA or SSO. That means, as we saw in this campaign, ROPC sends the password directly to the /token endpoint without an interactive MFA message.”
Several of the organizations that were breached did not enforce any MFA policies, and others only enforced MFA for specific user groups, such as administrators. In other cases, a login attempt only required MFA when the traffic came from an untrusted location, meaning MFA was not applied if the connection came from a trusted IP address. Additionally, some organizations had only applied MFA in report-only mode, meaning that MFA policies were never actually applied.
To protect against attacks of this type, Huntress recommended the following mitigations:
- Organizations should implement MFA for all users, all cloud applications, and all types of client applications.
- Azure CLI app must be restricted from use by non-admin users
- The response to the attack should be based on the validity of the credentials, rather than the volume of spraying.
Through beepcomputer
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.




