81 million login attempts hit Microsoft 365 accounts as hackers try password-spraying to force entry using stolen credentials and OAuth to bypass authentication
Date:
Thu, 02 Jul 2026 17:05:00 +0000
Description:
The attack abused misconfigured conditional access policies to bypass multi-factor authentication protections.
FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter A password-spraying attack successfully breached Microsoft 365 accounts The hackers abused improperly configured conditional access policies to bypass MFA Many organizations targeted had no MFA implemented Hackers have used previously leaked credentials to target Microsoft 365 accounts in a password-spraying attack that resulted in over 81 million login attempts during a two-week period.
The attackers then abused the improperly implemented Conditional Access policies within the Resource Owner Password Credentials (ROPC) OAuth
mechanism using Azure command-line interface (CLI), allowing the hackers to bypass authentication altogether when a matching username and password was discovered. Cybersecurity company Huntress observed the attack campaign as it targeted customers and noted that 78 Microsoft accounts across 64 organizations were compromised between June 12 and 26 2026. Latest Videos
From Watch full video here: Hackers access 365 accounts without
authentication The success of the attack ultimately came down to how well organizations had implemented Conditional Access policies relating to multi-factor authentication.
Many of the compromised businesses had implemented multi-factor
authentication (MFA) via a Conditional Access Policy (CAP), but the MFA was not configured to cover this specific flow that attackers used, Huntress explained, referring to the exploitation of ROPC. You may like Microsoft
warns hackers are exploiting password resets to gain access to user accounts Microsoft flags major phishing campaign targeting 35,000 users across 26 countries Meet Kali365 the 'Amazon of cybercrime'
ROPC is considered problematic for several reasons, but one of those reasons is that it doesn't offer support for modern auth flows like MFA or SSO. That means, as we saw in this campaign, ROPC sends the password straight to the /token endpoint with no interactive MFA prompt.
Several of the organizations that were breached did not enforce an MFA policy at all, with others only applying MFA for specific user groups such as administrators. In other cases, a login attempt only required MFA when the traffic was coming from an untrusted location, meaning that MFA was not enforced if the connection was coming from a trusted IP address.
Additionally, some organizations had only enforced MFA in report-only mode, meaning that the MFA policies were never actually applied. Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get
all the top news, opinion, features and guidance your business needs to succeed! Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting
your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
In order to protect against attacks of this kind of attack, Huntress recommended the following mitigations: Organizations should implement MFA for All Users, All Cloud Apps, and All Client App types The Azure CLI application should be restricted from use by non-admin users Response to the attack
should be made on credential validity, rather than spray volume Via BleepingComputer Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
======================================================================
Link to news story:
https://www.techradar.com/pro/security/81-million-login-attempts-hit-microsoft -365-accounts-as-hackers-try-password-spraying-to-force-entry-using-stolen-cre dentials-and-oauth-to-bypass-authentication
--- Mystic BBS v1.12 A49 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)