Back to Feed
Threat IntelligenceJul 1, 2026

Hackers target Microsoft 365 accounts with 81 million login attempts

Hackers attempted 81 million logins to Microsoft 365 accounts using password spraying.

Summary

A large-scale password-spraying campaign generated over 81 million login attempts against Microsoft 365 accounts in two weeks. Attackers exploited the Azure CLI and the ROPC OAuth mechanism, bypassing MFA due to misconfigured Conditional Access Policies. Huntress observed the compromise of 78 accounts across 64 organizations, highlighting the need for robust MFA enforcement.

Full text

Hackers target Microsoft 365 accounts with 81 million login attempts By Bill Toulas July 1, 2026 12:38 PM 0 An aggressive password-spraying campaign targeting Microsoft 365 environments generated more than 81 million login attempts over a two-week period. The threat actor tried to authenticate via Microsoft's Azure command-line interface (CLI) using still valid username and password combinations that had been exposed in past breaches. Microsoft's Azure CLI is used for managing Azure cloud resources, enabling administrators to manage virtual machines, deploy applications, manage databases, and automate cloud operations. Once a valid pair was found, the hacker authenticated via the ROPC (Resource Owner Password Credentials) OAuth mechanism, bypassing multi-factor authentication (MFA) in many environments due to insecure Conditional Access policies. Managed cybersecurity company Huntress observed the campaign targeting its customers between June 12 and 26 and confirmed that the threat actor compromised 78 Microsoft accounts across 64 organizations. Activity peak on June 22Source: Huntress “Many of the compromised businesses had implemented multi-factor authentication (MFA) via a Conditional Access Policy (CAP), but the MFA was not configured to cover this specific flow that attackers used,” Huntress explains. “ROPC is considered problematic for several reasons, but one of those reasons is that it doesn't offer support for modern auth flows like MFA or SSO.” “That means, as we saw in this campaign, ROPC sends the password straight to the /token endpoint with no interactive MFA prompt.” Specific misconfigurations highlighted by Huntress include: MFA was applied only to specific applications, not to All Cloud Apps. MFA is enforced only for selected user groups, such as administrators. MFA required only from untrusted locations, allowing traffic from IPs that appear to originate from trusted locations. Policies configured in report-only mode, meaning they were never enforced. In some cases where organizations were impacted, the researchers say there was no MFA policy at all. Weaknesses on impacted orgsSource: Huntress Overall, Huntress observed a more than 155-fold increase in password-spraying attacks, with organizations now averaging 1,964 failed login attempts per tenant each month. It is unclear who is behind the latest campaign, but Huntress notes that the activity originates from an IPv6 range owned by LSHIY LLC (AS32167). The researchers disclosed their findings to LSHIY through the company's abuse reporting portal, but had not received a response by the time their report was published. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: Microsoft Self-Service Password Reset abused in Azure data theft attacksMicrosoft rejects critical Azure vulnerability report, no CVE issued

Entities

Microsoft 365 (product)Azure CLI (product)ROPC OAuth (technology)MFA (technology)Conditional Access Policies (technology)Huntress (vendor)