Microsoft 365 users are facing a significant security threat after a massive, automated password spray attack targeted cloud accounts. Security firm Huntress reported that attackers made 81 million login attempts between June 12 and June 26 alone. While the scale of the campaign was enormous, the success rate was low but impactful: at least 78 accounts belonging to Huntress customers were compromised during this period.
The mechanics of the breach
The attack originated from a single IPv6 address range controlled by internet provider LSHIY LLC. Huntress noted that the activity began with a slight increase on June 12, followed by a sudden spike on June 22 when 30 customers were affected. The attackers utilized the OAuth ROPC (Resource Owner Password Credentials) flow to execute the breach.
In this method, the attackers submitted valid usernames and passwords to the /token endpoint for a specific tenant. Once accepted, the system minted a new user-delegated token, granting the attacker access. This technique succeeded because Multi-Factor Authentication (MFA) was not configured to block these specific login attempts in several targeted organizations.

Why MFA failed to stop the attack
The core vulnerability lay in how some organizations configured their security policies. Huntress identified two primary misconfigurations that allowed the attackers to bypass protections:
- App-specific enforcement: Some companies enforced MFA only for specific applications, such as Microsoft Admin Portals. However, this did not cover other entry points like the Azure CLI, which the attackers exploited.
- User-group limitations: Other organizations enabled MFA only for specific user groups, such as administrators. The compromised accounts in these cases belonged to users outside that protected scope.
Because the OAuth ROPC flow was not covered by these limited MFA policies, the attackers could replay validated credentials without triggering additional verification steps.
What this means for you
If you manage Microsoft 365 accounts, whether for personal use or within an organization, it is critical to review your MFA settings. Ensure that Multi-Factor Authentication is enforced for All Cloud Apps, not just specific portals or admin groups. Additionally, consider disabling the OAuth ROPC flow if it is not strictly necessary for your workflow, as it presents a higher risk when combined with weak password hygiene.
LSHIY LLC has since terminated access for the customer associated with the malicious IP addresses. However, the incident highlights the importance of comprehensive security configurations to prevent credential theft on a large scale.
Source: Huntress Blog
Source: Windows – Computerworld
Over to you: Do you currently enforce MFA for all cloud apps in your organization, or are you still relying on app-specific policies?
You may also like