- A password-spraying attack successfully breached Microsoft 365 accounts
- The hackers abused improperly configured conditional access policies to bypass MFA
- Many organizations targeted had no MFA implemented
Hackers have used previously leaked credentials to target Microsoft 365 accounts in a password-spraying attack that resulted in over 81 million login attempts during a two-week period.
The attackers then abused the improperly implemented Conditional Access policies within the Resource Owner Password Credentials (ROPC) OAuth mechanism using Azure command-line interface (CLI), allowing the hackers to bypass authentication altogether when a matching username and password was discovered.
Cybersecurity company Huntress observed the attack campaign as it targeted customers and noted that 78 Microsoft accounts across 64 organizations were compromised between June 12 and 26 2026.
Hackers access 365 accounts without authentication
The success of the attack ultimately came down to how well organizations had implemented Conditional Access policies relating to multi-factor authentication.
“Many of the compromised businesses had implemented multi-factor authentication (MFA) via a Conditional Access Policy (CAP), but the MFA was not configured to cover this specific flow that attackers used,” Huntress explained, referring to the exploitation of ROPC.
“ROPC is considered problematic for several reasons, but one of those reasons is that it doesn’t offer support for modern auth flows like MFA or SSO. That means, as we saw in this campaign, ROPC sends the password straight to the /token endpoint with no interactive MFA prompt.”
Several of the organizations that were breached did not enforce an MFA policy at all, with others only applying MFA for specific user groups such as administrators. In other cases, a login attempt only required MFA when the traffic was coming from an untrusted location, meaning that MFA was not enforced if the connection was coming from a trusted IP address. Additionally, some organizations had only enforced MFA in report-only mode, meaning that the MFA policies were never actually applied.
In order to protect against attacks of this kind of attack, Huntress recommended the following mitigations:
- Organizations should implement MFA for All Users, All Cloud Apps, and All Client App types
- The Azure CLI application should be restricted from use by non-admin users
- Response to the attack should be made on credential validity, rather than spray volume
Via BleepingComputer
This articles is written by : Nermeen Nabil Khear Abdelmalak
All rights reserved to : USAGOLDMIES . www.usagoldmines.com
You can Enjoy surfing our website categories and read more content in many fields you may like .
Why USAGoldMines ?
USAGoldMines is a comprehensive website offering the latest in financial, crypto, and technical news. With specialized sections for each category, it provides readers with up-to-date market insights, investment trends, and technological advancements, making it a valuable resource for investors and enthusiasts in the fast-paced financial world.
