81 million login attempts hit Microsoft 365 accounts as hackers try password-spraying to force entry using stolen credentials and OAuth to bypass authentication

https://cdn.mos.cms.futurecdn.net/9dJG7jH8XprNiB4jnuuD2M-1920-80.jpg
  • A password-spraying attack successfully breached Microsoft 365 accounts
  • The hackers abused improperly configured conditional access policies to bypass MFA
  • Many organizations targeted had no MFA implemented

Hackers have used previously leaked credentials to target Microsoft 365 accounts in a password-spraying attack that resulted in over 81 million login attempts during a two-week period.

The attackers then abused the improperly implemented Conditional Access policies within the Resource Owner Password Credentials (ROPC) OAuth mechanism using Azure command-line interface (CLI), allowing the hackers to bypass authentication altogether when a matching username and password was discovered.

Cybersecurity company Huntress observed the attack campaign as it targeted customers and noted that 78 Microsoft accounts across 64 organizations were compromised between June 12 and 26 2026.

Hackers access 365 accounts without authentication

The success of the attack ultimately came down to how well organizations had implemented Conditional Access policies relating to multi-factor authentication.

“Many of the...

Copyright of this story solely belongs to techradar.com. To see the full text click HERE

Read more