In a sophisticated and highly automated cyberoffensive, Microsoft 365 users have fallen victim to a sweeping "password spray" attack that underscores the ongoing vulnerability of enterprise cloud environments. The campaign, which utilized previously compromised credentials and exploited gaps in multi-factor authentication (MFA) configurations, has sounded a warning bell for IT departments worldwide.
The attack, which was identified and analyzed by cybersecurity firm Huntress, saw millions of login attempts executed against Microsoft account holders. While the immediate impact on Huntress customers was significant, experts warn that the true scope of the compromise is likely far broader, given the indiscriminate nature of automated credential-stuffing campaigns.
The Anatomy of the Attack: A Chronology of Events
The offensive did not emerge overnight; rather, it was a calculated escalation. According to telemetry provided by Huntress, the campaign unfolded in three distinct phases:
Phase 1: The Build-Up (June 12 – June 21)
The attackers began testing their infrastructure in mid-June. Huntress security researchers observed a steady, albeit low-volume, increase in suspicious login attempts beginning on June 12. During this period, the attackers were likely refining their automated scripts, testing the responsiveness of Microsoft’s endpoints, and verifying the viability of their credential list.
Phase 2: The Surge (June 22)
The operation shifted into high gear on June 22. In a sudden, coordinated spike, the volume of login attempts surged dramatically. On this single day, Huntress observed a concentrated effort that resulted in 30 of its monitored client organizations being successfully breached. This spike served as the primary indicator that the campaign had moved from the reconnaissance phase to active exploitation.
Phase 3: Sustained Pressure (June 23 – June 26)
Following the spike, the attackers maintained a relentless pace of operations. By the time the activity was neutralized, the total tally of login attempts had reached approximately 81 million. Huntress confirmed that the attackers successfully compromised at least 78 individual accounts during this two-week window.
Technical Execution: Exploiting the OAuth ROPC Flow
The success of this campaign was not due to a flaw in Microsoft’s infrastructure itself, but rather a masterclass in exploiting legacy configurations. The attackers leveraged the Resource Owner Password Credentials (ROPC) flow within the OAuth framework.
The ROPC flow is designed to allow a user to provide their username and password directly to an application to obtain an access token. In this attack, the adversaries replayed validated credentials against the /token endpoint for various Microsoft 365 tenants. Once the endpoint received the correct credentials, it minted a new user-delegated token, effectively granting the attackers access to the user’s account without triggering the standard web-based login prompts that modern MFA solutions typically intercept.
By using this flow, the attackers effectively bypassed traditional "gatekeeper" security measures, allowing them to authenticate as legitimate users while operating under the radar of many standard conditional access policies.
The "Configuration Gap": Why MFA Failed
Perhaps the most troubling aspect of the attack is that many of the targeted organizations believed they were protected by multi-factor authentication. However, the attackers identified and exploited specific "blind spots" in how these organizations configured their security policies.

1. Scoping Errors (The "All Cloud Apps" Oversight)
Many organizations enforce MFA only for specific, high-risk applications. Huntress noted that several victims had applied MFA policies only to "Microsoft Admin Portals." Because the attackers were utilizing Azure CLI (Command Line Interface) logins to facilitate their ROPC flow, the MFA policies—which were not applied to "All Cloud Apps"—did not trigger. The CLI login was treated as an out-of-scope event, allowing the attackers to slip through the cracks.
2. User-Group Limitations
In other instances, companies restricted MFA enforcement to specific user groups, such as "Administrators Only." The attackers, likely working from a massive database of harvested credentials, targeted accounts that fell outside of these designated high-privilege groups. By focusing on standard users who were not included in the MFA enforcement scope, the attackers gained a foothold in the enterprise environment with minimal resistance.
3. The Source of the Threat
The entire operation was traced back to a single, centralized source: an IPv6 address range managed by the internet service provider (ISP) LSHIY LLC. Upon being alerted to the malicious activity by Huntress and other security researchers, LSHIY LLC took corrective action, terminating access for the specific customer account responsible for the traffic. While this stopped the immediate flow of attempts from that specific range, it remains a temporary fix; the threat actors behind the campaign likely possess the resources to pivot to new infrastructure.
Implications for Enterprise Security
The LSHIY-linked attack serves as a stark reminder that "turning on MFA" is not a panacea. The nuances of how that MFA is configured are often the difference between a secure network and a compromised one.
The Myth of "MFA Everywhere"
Organizations often assume that because they have an MFA license, they are fully protected. This incident proves that partial implementation—such as excluding CLI logins or focusing only on administrative accounts—creates a "path of least resistance" for attackers. Modern identity security requires a holistic approach, often referred to as "Zero Trust," where every authentication event is verified regardless of the application or the user’s role.
The Danger of Credential Harvesting
The fact that 81 million attempts were made suggests that the attackers possessed a massive, pre-validated database of usernames and passwords. This highlights the importance of credential hygiene. If users reuse passwords across personal and professional accounts, they become a liability to their employers. Businesses must move toward passwordless authentication methods, such as FIDO2 security keys or certificate-based authentication, which are significantly more resistant to the ROPC-style replay attacks witnessed here.
The Rise of Automated Spraying
Automated password spraying is becoming the "new normal." By keeping the rate of attempts just low enough to avoid triggering account lockouts, attackers can slowly chip away at the security perimeter of an entire organization. Security Operations Centers (SOCs) must move toward behavioral analytics that can detect the intent of login patterns rather than simply blocking based on IP reputation or velocity thresholds.
Moving Forward: Recommendations for IT Leaders
To prevent similar breaches, cybersecurity professionals should take immediate action:
- Audit Conditional Access Policies: Ensure that MFA is enforced for all cloud applications and all authentication flows, including legacy protocols like CLI and PowerShell.
- Restrict ROPC Flow: Disable the ROPC flow for standard users wherever possible. If an application requires it, ensure it is strictly monitored and that modern authentication (such as OAuth 2.0 with MFA) is prioritized.
- Implement Identity Protection: Utilize tools like Microsoft Entra ID Protection, which can detect anomalous sign-in behavior, such as impossible travel or logins from known malicious IP ranges, and trigger automatic remediation steps.
- Monitor for Credential Stuffing: Regularly monitor for "leaked" credentials. If a user’s password appears in a known database breach, force a mandatory password reset and require a re-registration of their MFA device.
Conclusion
The 81-million-attempt campaign is a sobering indicator of the sophistication of modern automated attacks. The attackers did not break the encryption; they did not find a zero-day vulnerability in Microsoft’s software; they simply followed the path left open by misconfigured security policies.
For enterprises, the lesson is clear: security is not a "set it and forget it" checkbox. It is an ongoing, dynamic process that requires constant auditing and a rigorous commitment to the "All Cloud Apps" principle. As cyber-adversaries become more adept at finding the cracks in the armor, the defense must become increasingly granular, comprehensive, and proactive. The era of simple password protection is long over; in the face of automated, high-velocity threats, only a robust, zero-trust identity architecture can hope to keep the gates closed.
