Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. Hackers Target Microsoft 365 Accounts with 81 Million Login Attempts
Hackers Target Microsoft 365 Accounts with 81 Million Login Attempts
NEWS

Hackers Target Microsoft 365 Accounts with 81 Million Login Attempts

A two-week password-spray campaign generated over 81 million Microsoft 365 login attempts against 64 organizations, exploiting misconfigured MFA policies...

Dylan H.

News Desk

July 1, 2026
3 min read

Campaign Overview

An aggressive and highly targeted password-spray campaign against Microsoft 365 environments generated more than 81 million login attempts over a two-week period spanning June 12–26, 2026, according to threat intelligence firm Huntress. The operation compromised at least 78 accounts across 64 organizations, exploiting a critical gap in how many companies configure multi-factor authentication.

The ROPC Bypass Technique

The attackers specifically chose to authenticate via the Azure CLI using the Resource Owner Password Credentials (ROPC) OAuth flow — a legacy authentication method that sends credentials directly to Microsoft's /token endpoint without triggering interactive authentication flows.

ROPC is the critical weakness here: because it does not support modern authentication mechanisms like MFA, Conditional Access, or SSO, organizations that have deployed MFA through standard browser-based sign-in flows are left exposed if ROPC is not explicitly blocked.

Huntress found that compromised organizations shared one or more of these configuration failures:

  • MFA scoped to specific apps rather than all cloud applications
  • MFA enforced only for selected user groups, leaving service accounts or legacy users unprotected
  • MFA required only from untrusted locations, with no controls on trusted-network logins
  • Conditional Access Policies in report-only mode — collecting data but not enforcing blocks
  • No MFA policy at all for certain tenants

Attack Scale and Progression

The campaign began with a steady cadence of 2–4 account compromises per day before dramatically escalating on June 22, when attackers breached 30 user identities across 23 businesses in a single day.

Across Huntress's customer base more broadly, the firm observed a 155x increase in credential spray volume over the past six months, with an average of approximately 1,964 failed login attempts per tenant per month and a median of 804. These numbers reflect how automated and industrialized password-spraying has become against cloud identity platforms.

The attack traffic originated from an IPv6 range registered to LSHIY LLC (AS32167), though the ultimate threat actor behind the campaign has not been attributed.

Why This Attack Works at Scale

Microsoft 365 is the dominant enterprise productivity suite globally, making it the highest-value credential target for attackers focused on business email compromise, ransomware initial access, and corporate espionage. ROPC abuse requires no interactive login prompt, generates less noise than browser-based attempts, and can be automated trivially using the Azure CLI or custom scripts with stolen username-password pairs from previous breach databases.

The sourcing of credentials from prior breach dumps means attackers are not guessing passwords — they are testing known valid pairs, dramatically improving success rates even against accounts with complex passwords that have not been rotated since an earlier breach.

Remediation

Security teams should address Microsoft 365 ROPC exposure immediately:

  1. Block ROPC authentication flows via Conditional Access Policy — require compliant devices and MFA for all OAuth token requests
  2. Audit CAP scope — ensure all users (including service accounts and guests) and all cloud applications are covered
  3. Enforce CAP in enabled mode, not report-only
  4. Enable Microsoft Entra ID Protection to detect sign-in risk and block anomalous authentication in real time
  5. Review sign-in logs filtered for clientAppUsed = "Azure CLI" and authenticationMethod != MFA to identify prior ROPC authentications
  6. Rotate credentials for any account that authenticated via ROPC in the past 90 days

References

  • BleepingComputer — Hackers target Microsoft 365 accounts with 81 million login attempts
#Microsoft 365#Password Spray#MFA Bypass#Azure#Credential Attack

Related Articles

Tycoon2FA Hijacks Microsoft 365 Accounts via Device-Code

The Tycoon2FA phishing-as-a-service platform has added device-code phishing to its arsenal and abuses Trustifi click-tracking URLs to bypass Microsoft 365...

5 min read

ConsentFix v3 Automates Azure OAuth Abuse With Mass

A new iteration of the ConsentFix attack toolkit has surfaced on cybercriminal forums, adding automation and scaling capabilities to OAuth consent...

4 min read

ARToken PhaaS Exposes EvilTokens' Microsoft 365 Phishing Toolkit with AI-Powered BEC

Cisco Talos has uncovered ARToken, a Phishing-as-a-Service platform affiliated with EvilTokens that weaponizes Microsoft's OAuth device code flow to...

4 min read
Back to all News