[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fFfLgq3ngQAhWZNe5Fv1vMs6Zw1QMF1VjJ2MO64FH22w":3},{"lesson":4},{"id":5,"slug":6,"article_id":7,"title":8,"body":9,"prevention":10,"framework_refs":11,"status":24,"created_at":25,"published_at":26,"article":27,"tags":31,"podcasts":44},"9b329f2a-2cb9-4cc3-968d-9e09e26adaaa","81-million-login-attempts-expose-mfa-gaps-in-microsoft-365","f45cebcb-f286-4a67-9d8b-66292a5b5889","81 Million Login Attempts Expose MFA Gaps in Microsoft 365","Attackers launched a massive password-spraying campaign targeting Microsoft 365 accounts by exploiting the Resource Owner Password Credentials (ROPC) OAuth flow and Azure CLI, both of which can bypass Multi-Factor Authentication when Conditional Access Policies are misconfigured or incomplete. The root cause was not a software vulnerability but a policy enforcement failure — organizations had MFA enabled in principle but left legacy authentication pathways unblocked. This allowed attackers to sidestep modern security controls entirely, compromising 78 accounts across 64 organizations in just two weeks. The incident underscores that enabling MFA is insufficient without also disabling legacy protocols and enforcing Conditional Access comprehensively across all authentication mechanisms.","**Immediate Actions:**\n- Block legacy authentication protocols (including ROPC and Basic Auth) across all Microsoft 365 tenants via Conditional Access Policies.\n- Audit existing Conditional Access Policies to ensure MFA is enforced for all users, applications, and authentication flows without exceptions.\n- Review Azure CLI and OAuth application registrations to restrict or monitor non-interactive authentication paths.\n\n**Long-Term Improvements:**\n- Enforce phishing-resistant MFA (e.g., FIDO2\u002Fpasskeys) as the organizational standard, replacing SMS or app-push methods where possible.\n- Implement a Zero Trust architecture that requires continuous verification regardless of authentication method or network location.\n- Establish a periodic access control review process to detect and remediate policy drift in identity and access configurations.\n\n**Detection Measures:**\n- Enable and monitor Microsoft Entra ID (Azure AD) Sign-In Logs for high-volume failed authentication attempts, unusual geographies, or ROPC-based logins.\n- Configure SIEM alerts for password-spraying indicators such as many failed logins from a single IP across multiple accounts within a short time window.\n- Integrate threat intelligence feeds to automatically block known malicious IP ranges used in credential-stuffing campaigns.",[12,13,14,15,16,17,18,19,20,21,22,23],"CIS Control 4: Secure Configuration of Enterprise Assets and Software","CIS Control 6: Access Control Management","CIS Control 12: Network Infrastructure Management","NIST SP 800-63B: Digital Identity Guidelines — Authenticator Assurance Levels","NIST AC-2: Account Management","NIST AC-17: Remote Access","NIST IA-5: Authenticator Management","NIST SI-4: System Monitoring","Microsoft Zero Trust Framework: Identity Pillar","GDPR Article 32: Security of Processing (adequate technical controls)","MITRE ATT&CK T1110.003: Password Spraying","MITRE ATT&CK T1078: Valid Accounts","published","2026-07-01T18:20:55.67082+00:00","2026-07-01T18:20:55.564+00:00",{"id":7,"url":28,"slug":29,"title":30},"https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fhackers-target-microsoft-365-accounts-with-81-million-login-attempts\u002F","hackers-target-microsoft-365-accounts-with-81-million-login-attempts-d03514","Hackers target Microsoft 365 accounts with 81 million login attempts",[32,38],{"id":33,"name":34,"slug":35,"description":36,"color":37},"1ec88fde-2d0f-4ed8-932a-33f5ccc0fdc7","Access Control","access-control","Excessive privileges, missing MFA, weak auth","#f97316",{"id":39,"name":40,"slug":41,"description":42,"color":43},"859cf0ad-a7e9-42bb-a75d-bac6511fa5d5","Configuration Management","configuration-management","Misconfigs, default credentials, exposed services","#eab308",[]]