Campaign Overview
An aggressive and highly targeted password-spray campaign against Microsoft 365 environments generated more than 81 million login attempts over a two-week period spanning June 12–26, 2026, according to threat intelligence firm Huntress. The operation compromised at least 78 accounts across 64 organizations, exploiting a critical gap in how many companies configure multi-factor authentication.
The ROPC Bypass Technique
The attackers specifically chose to authenticate via the Azure CLI using the Resource Owner Password Credentials (ROPC) OAuth flow — a legacy authentication method that sends credentials directly to Microsoft's /token endpoint without triggering interactive authentication flows.
ROPC is the critical weakness here: because it does not support modern authentication mechanisms like MFA, Conditional Access, or SSO, organizations that have deployed MFA through standard browser-based sign-in flows are left exposed if ROPC is not explicitly blocked.
Huntress found that compromised organizations shared one or more of these configuration failures:
- MFA scoped to specific apps rather than all cloud applications
- MFA enforced only for selected user groups, leaving service accounts or legacy users unprotected
- MFA required only from untrusted locations, with no controls on trusted-network logins
- Conditional Access Policies in report-only mode — collecting data but not enforcing blocks
- No MFA policy at all for certain tenants
Attack Scale and Progression
The campaign began with a steady cadence of 2–4 account compromises per day before dramatically escalating on June 22, when attackers breached 30 user identities across 23 businesses in a single day.
Across Huntress's customer base more broadly, the firm observed a 155x increase in credential spray volume over the past six months, with an average of approximately 1,964 failed login attempts per tenant per month and a median of 804. These numbers reflect how automated and industrialized password-spraying has become against cloud identity platforms.
The attack traffic originated from an IPv6 range registered to LSHIY LLC (AS32167), though the ultimate threat actor behind the campaign has not been attributed.
Why This Attack Works at Scale
Microsoft 365 is the dominant enterprise productivity suite globally, making it the highest-value credential target for attackers focused on business email compromise, ransomware initial access, and corporate espionage. ROPC abuse requires no interactive login prompt, generates less noise than browser-based attempts, and can be automated trivially using the Azure CLI or custom scripts with stolen username-password pairs from previous breach databases.
The sourcing of credentials from prior breach dumps means attackers are not guessing passwords — they are testing known valid pairs, dramatically improving success rates even against accounts with complex passwords that have not been rotated since an earlier breach.
Remediation
Security teams should address Microsoft 365 ROPC exposure immediately:
- Block ROPC authentication flows via Conditional Access Policy — require compliant devices and MFA for all OAuth token requests
- Audit CAP scope — ensure all users (including service accounts and guests) and all cloud applications are covered
- Enforce CAP in enabled mode, not report-only
- Enable Microsoft Entra ID Protection to detect sign-in risk and block anomalous authentication in real time
- Review sign-in logs filtered for
clientAppUsed = "Azure CLI"andauthenticationMethod != MFAto identify prior ROPC authentications - Rotate credentials for any account that authenticated via ROPC in the past 90 days