A large-scale password spraying campaign has targeted Microsoft 365 environments, generating more than 81 million login attempts over just two weeks in an effort to compromise business accounts.
According to cybersecurity firm Huntress, the attacks took place between June 12 and June 26. The threat actor used username and password combinations exposed in previous data breaches to authenticate through Microsoft’s Azure Command-Line Interface (CLI). Instead of guessing many passwords for a single account, password spraying tries commonly used or previously leaked passwords across a large number of accounts.
Once valid credentials were identified, the attackers used the Resource Owner Password Credentials (ROPC) OAuth authentication flow to log in. Huntress says this method allowed the attackers to bypass multi-factor authentication (MFA) in many organizations because of improperly configured Conditional Access policies.
The campaign successfully compromised 78 Microsoft accounts across 64 organizations. Many of the affected businesses had MFA enabled, but their security policies did not protect the specific authentication method used in the attack. Since the ROPC flow does not support modern authentication methods such as MFA or single sign-on, it can become a weak point when organizations have incomplete or misconfigured security settings.
Huntress identified several common configuration mistakes that left organizations exposed. These included applying MFA only to selected applications instead of all cloud apps, enforcing MFA only for administrator accounts or specific user groups, requiring MFA only from untrusted locations, and leaving Conditional Access policies in report-only mode without actually enforcing them. In some compromised organizations, no MFA policy was configured at all.
The researchers also reported a dramatic rise in password spraying activity, with organizations now experiencing an average of 1,964 failed login attempts per Microsoft 365 tenant every month—an increase of more than 155 times compared to previous levels.
Huntress said the attack traffic originated from an IPv6 address range owned by LSHIY LLC (AS32167). The company reported its findings through the provider’s abuse reporting channel but had not received a response when the report was published.
Hackers Launch 81 Million Microsoft 365 Login Attempts in Massive Password Spraying Campaign





