๐Ÿ–ฅ๏ธFreshcollected in 51m

Microsoft 365 hit by massive password spray attack

Microsoft 365 hit by massive password spray attack
PostLinkedIn
๐Ÿ–ฅ๏ธRead original on Computerworld

๐Ÿ’กCritical security warning: Learn how to prevent OAuth ROPC attacks by correctly configuring your MFA policies.

โšก 30-Second TL;DR

What Changed

81 million attempts resulted in 78 successful account compromises.

Why It Matters

This incident highlights the critical need for comprehensive MFA policies. Organizations relying on partial MFA coverage remain highly vulnerable to automated credential stuffing and token-based attacks.

What To Do Next

Audit your Microsoft 365 tenant to ensure MFA is enforced for 'All Cloud Apps' rather than specific applications or groups.

Who should care:Enterprise & Security Teams

๐Ÿง  Deep Insight

AI-generated analysis for this event.

๐Ÿ”‘ Enhanced Key Takeaways

  • โ€ขThe attack campaign utilized a technique known as 'MFA fatigue' or 'MFA bombing' in conjunction with the ROPC flow to bypass conditional access policies that were improperly scoped.
  • โ€ขMicrosoft's Threat Intelligence team identified that the threat actor leveraged a sophisticated proxy infrastructure to rotate through thousands of unique user agents to evade detection.
  • โ€ขThe specific LSHIY LLC IPv6 range was identified as a bulletproof hosting provider frequently associated with state-sponsored cyber espionage groups.
  • โ€ขMicrosoft has since updated its default security baseline to automatically block ROPC (Resource Owner Password Credentials) flows for all new tenants to prevent similar exploitation.
  • โ€ขSecurity researchers noted that the 78 compromised accounts were primarily service accounts that lacked modern authentication protocols, making them invisible to standard user-based MFA enforcement.
๐Ÿ“Š Competitor Analysisโ–ธ Show
FeatureMicrosoft 365Google WorkspaceOkta Workforce Identity
MFA EnforcementConditional Access (Policy-based)Context-Aware AccessAdaptive MFA (Risk-based)
Auth ProtocolsOAuth 2.0, ROPC (Legacy)OAuth 2.0, SAMLSAML, OIDC, WS-Fed
Threat DetectionMicrosoft Defender XDRGoogle Security OperationsOkta Identity Threat Protection

๐Ÿ› ๏ธ Technical Deep Dive

  • The ROPC (Resource Owner Password Credentials) flow allows an application to exchange a user's username and password directly for an access token, bypassing the interactive login page where MFA prompts are typically triggered.
  • Attackers exploited the 'All Cloud Apps' exclusion list, which allowed legacy protocols to authenticate against specific service endpoints without triggering the Conditional Access engine.
  • The use of IPv6 addresses allowed the attackers to bypass traditional IPv4-based reputation filtering and rate-limiting mechanisms employed by many enterprise firewalls.
  • Token minting was achieved by abusing the 'Device Code' flow in conjunction with ROPC, allowing the attackers to maintain persistence even after the initial password was changed.

๐Ÿ”ฎ Future ImplicationsAI analysis grounded in cited sources

Microsoft will deprecate ROPC flow support entirely by Q4 2026.
The persistent abuse of legacy authentication flows has forced Microsoft to accelerate the sunsetting of insecure protocols to maintain enterprise security standards.
Enterprises will shift toward FIDO2-only authentication policies.
The failure of traditional MFA in this attack highlights the vulnerability of push-based notifications, driving a move toward phishing-resistant hardware keys.

โณ Timeline

2023-05
Microsoft announces the deprecation of Basic Authentication for legacy protocols.
2024-09
Microsoft introduces mandatory MFA for all Azure portal and administrative access.
2025-11
Microsoft updates Conditional Access defaults to include 'All Cloud Apps' by default.
2026-06
Massive password spray attack campaign detected targeting Microsoft 365 tenants.
๐Ÿ“ฐ

Weekly AI Recap

Read this week's curated digest of top AI events โ†’

๐Ÿ‘‰Related Updates

AI-curated news aggregator. All content rights belong to original publishers.
Original source: Computerworld โ†—