- A password spray attack successfully breached Microsoft 365 accounts
- The hackers abused improperly configured Conditional Access policies to bypass MFA
- Many targeted organizations had no MFA implemented
Hackers have used previously leaked credentials to target Microsoft 365 accounts in a password-spray attack that resulted in over 81 million login attempts over a two-week period.
The attackers then abused the improperly implemented Conditional Access policies in the Resource Owner Password Credentials (ROPC) OAuth mechanism using the Azure Command Line Interface (CLI), allowing the attackers to completely bypass authentication when a matching username and password was discovered.
Cybersecurity firm Huntress observed the attack campaign as it targeted customers and noted that 78 Microsoft accounts across 64 organizations were compromised between June 12 and June 26, 2026.
Hackers gain access to 365 accounts without authentication
The success of the attack ultimately came down to how well organizations had implemented conditional access policies in conjunction with multi-factor authentication.
“Many of the compromised companies had implemented multi-factor authentication (MFA) via a Conditional Access Policy (CAP), but MFA was not configured to cover this specific flow that the attackers used,” Huntress explained, referring to the exploitation of ROPC.
“ROPC is considered problematic for several reasons, but one of those reasons is that it does not offer support for modern authentication flows like MFA or SSO. This means, as we saw in this campaign, that ROPC sends the password directly to the /token endpoint without any interactive MFA prompt.”
Several of the organizations that were breached did not enforce an MFA policy at all, while others only applied MFA to specific user groups such as administrators. In other cases, a login attempt only required MFA when the traffic came from an untrusted location, meaning that MFA was not enforced if the connection came from a trusted IP address. In addition, some organizations had only enforced MFA in reporting mode, meaning that the MFA policies were never actually applied.
To protect against attacks by this type of attack, Huntress recommended the following mitigations:
- Organizations should implement MFA for all users, all cloud apps, and all client app types
- The Azure CLI application should be restricted from use by non-administrator users
- Response to the attack should be done on credential validity rather than spray volume
Via Bleeping Computer
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.



