
Massive Password Stealing Attack Targeting Microsoft 365 Users With 81 Million Login Attempts
The digital perimeter of an organization is constantly under siege. For companies relying on Microsoft 365, a recent, massive password-stealing attack serves as a stark reminder of the persistent threats to identity and access management. With an astonishing 81 million login attempts recorded, this campaign highlights sophisticated tactics that bypass even multi-factor authentication (MFA) to compromise Entra ID accounts.
Anatomy of a Sophisticated Attack: Password Spraying at Scale
Recent intelligence from Huntress has unveiled a large-scale, automated password spray campaign specifically targeting Microsoft 365 and Azure CLI users. This isn’t a brute-force attack on a single account; instead, threat actors are leveraging common passwords against a vast number of accounts, betting that some users will have weak credentials. What makes this campaign particularly concerning is its exploitation of Microsoft’s Azure Command-Line Interface (CLI) and legacy OAuth flows. The activity, which saw a significant spike between June 12 and June 26, is a sustained effort to gain unauthorized access to critical cloud services.
Bypassing MFA: The Legacy OAuth Vector
One of the most alarming aspects of this attack is its ability to circumvent multi-factor authentication. Organizations invest heavily in MFA as a foundational security layer. However, by abusing legacy OAuth flows and the Azure CLI, attackers can sometimes bypass these controls. Legacy authentication protocols often lack the modern security checks inherent in newer authentication methods, providing a vulnerability for determined adversaries. An attacker, once they obtain a valid username and password through a successful spray, can exploit these older flows to establish a session that doesn’t trigger an MFA prompt or bypasses it entirely.
Impact on Entra ID and Microsoft 365 Users
Compromising Entra ID (formerly Azure Active Directory) accounts grants attackers a significant foothold within an organization’s cloud environment. With access to Entra ID, threat actors can:
- Access sensitive data stored in SharePoint, OneDrive, and Teams.
- Escalate privileges to gain administrative control over Microsoft 365 services.
- Launch further phishing or malware campaigns from within the compromised environment.
- Establish persistence, making detection and expulsion significantly more challenging.
The sheer volume of login attempts—81 million—underscores the breadth and automated nature of this campaign, posing a significant risk to any organization relying on Microsoft’s ecosystem.
Remediation Actions and Proactive Defenses
Mitigating the risk of such sophisticated attacks requires a multi-layered approach beyond just MFA. Organizations must adopt proactive measures to strengthen their identity and access management security posture.
- Conditional Access Policies: Implement robust Conditional Access policies in Entra ID. This allows administrators to define conditions under which users can access resources, such as requiring MFA for all sign-ins, blocking legacy authentication protocols, or restricting access based on location or device compliance.
- Block Legacy Authentication: Actively block legacy authentication protocols wherever possible. These protocols are often less secure and do not support modern security features like MFA properly. Microsoft provides detailed guidance on how to disable legacy authentication within Entra ID.
- Identity Protection: Utilize Entra ID Identity Protection to detect and remediate identity-based risks. This service can identify suspicious activities like impossible travel, unfamiliar sign-in properties, or password spray attacks, triggering automated responses such as requiring a password reset or blocking access.
- Monitor Azure AD Sign-in Logs: Regularly review Entra ID sign-in logs for anomalous behavior, failed login attempts from unusual locations, or successful logins bypassing MFA. Tools like Azure Monitor and Microsoft Sentinel can aid in this analysis.
- Strong Password Policies: While MFA is crucial, strong, unique passwords remain a fundamental defense. Enforce complex password requirements and encourage the use of password managers.
- User Training: Educate users about the risks of phishing and social engineering attacks that could lead to credential compromise.
- Regular Security Assessments: Conduct periodic security audits and penetration tests to identify and remediate potential vulnerabilities in your Microsoft 365 environment.
Relevant Tools for Detection and Mitigation
Leveraging the right tools can significantly enhance an organization’s ability to detect and respond to these types of attacks.
| Tool Name | Purpose | Link |
|---|---|---|
| Microsoft Entra ID Protection | Detects identity-based risks, including suspicious sign-ins and password sprays, and automates remediation. | https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection |
| Microsoft Sentinel | Cloud-native SIEM for security analytics, threat intelligence, and automated response across enterprise assets. | https://azure.microsoft.com/en-us/products/microsoft-sentinel |
| Azure Conditional Access | Policy engine for controlling access to resources based on user, location, device, and application. | https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/overview |
| Microsoft Defender for Cloud Apps | Cloud Access Security Broker (CASB) for discovering cloud apps, protecting sensitive data, and detecting anomalies. | https://learn.microsoft.com/en-us/defender-cloud-apps/what-is-defender-for-cloud-apps |
Addressing Unidentified Vulnerabilities (No CVE Specifics)
While the source material does not provide specific CVE IDs for the legacy OAuth flow exploitation, it underscores a critical vulnerability in relying on outdated authentication mechanisms. The ability to bypass MFA through these flows represents a significant security lapse. Organizations should proactively audit their configurations to ensure that all services and applications enforce modern authentication protocols and disable any legacy options that could be exploited.
Conclusion
The recent password spray campaign targeting Microsoft 365 users, with its massive 81 million login attempts, serves as a critical warning for IT professionals. Threat actors are continually evolving their methods, exploiting even subtle weaknesses like legacy OAuth flows to circumvent robust security controls such as MFA. Strengthening your organization’s security posture requires not only implementing MFA but also adopting advanced strategies like blocking legacy authentication, employing stringent Conditional Access policies, and continuously monitoring for anomalous activities. A proactive and adaptive approach to identity and access management is essential to safeguard cloud environments against such sophisticated and large-scale attacks.


