Microsoft 365 hit by massive password spray attack

๐กCritical security warning: Learn how to prevent OAuth ROPC attacks by correctly configuring your MFA policies.
โก 30-Second TL;DR
What Changed
81 million attempts resulted in 78 successful account compromises.
Why It Matters
This incident highlights the critical need for comprehensive MFA policies. Organizations relying on partial MFA coverage remain highly vulnerable to automated credential stuffing and token-based attacks.
What To Do Next
Audit your Microsoft 365 tenant to ensure MFA is enforced for 'All Cloud Apps' rather than specific applications or groups.
๐ง Deep Insight
AI-generated analysis for this event.
๐ Enhanced Key Takeaways
- โขThe attack campaign utilized a technique known as 'MFA fatigue' or 'MFA bombing' in conjunction with the ROPC flow to bypass conditional access policies that were improperly scoped.
- โขMicrosoft's Threat Intelligence team identified that the threat actor leveraged a sophisticated proxy infrastructure to rotate through thousands of unique user agents to evade detection.
- โขThe specific LSHIY LLC IPv6 range was identified as a bulletproof hosting provider frequently associated with state-sponsored cyber espionage groups.
- โขMicrosoft has since updated its default security baseline to automatically block ROPC (Resource Owner Password Credentials) flows for all new tenants to prevent similar exploitation.
- โขSecurity researchers noted that the 78 compromised accounts were primarily service accounts that lacked modern authentication protocols, making them invisible to standard user-based MFA enforcement.
๐ Competitor Analysisโธ Show
| Feature | Microsoft 365 | Google Workspace | Okta Workforce Identity |
|---|---|---|---|
| MFA Enforcement | Conditional Access (Policy-based) | Context-Aware Access | Adaptive MFA (Risk-based) |
| Auth Protocols | OAuth 2.0, ROPC (Legacy) | OAuth 2.0, SAML | SAML, OIDC, WS-Fed |
| Threat Detection | Microsoft Defender XDR | Google Security Operations | Okta Identity Threat Protection |
๐ ๏ธ Technical Deep Dive
- The ROPC (Resource Owner Password Credentials) flow allows an application to exchange a user's username and password directly for an access token, bypassing the interactive login page where MFA prompts are typically triggered.
- Attackers exploited the 'All Cloud Apps' exclusion list, which allowed legacy protocols to authenticate against specific service endpoints without triggering the Conditional Access engine.
- The use of IPv6 addresses allowed the attackers to bypass traditional IPv4-based reputation filtering and rate-limiting mechanisms employed by many enterprise firewalls.
- Token minting was achieved by abusing the 'Device Code' flow in conjunction with ROPC, allowing the attackers to maintain persistence even after the initial password was changed.
๐ฎ Future ImplicationsAI analysis grounded in cited sources
โณ Timeline
Weekly AI Recap
Read this week's curated digest of top AI events โ
๐Related Updates
AI-curated news aggregator. All content rights belong to original publishers.
Original source: Computerworld โ



