A Two Week Barrage of Login Attempts
A large scale password spraying campaign targeted Microsoft 365 environments, generating over 81 million login attempts in a two week period from June 12 to June 26. Researchers at Huntress observed the activity targeting their customers and identified that the attackers used credential pairs exposed in prior breaches. The threat actor authenticated via the Microsoft Azure command line interface, which is a legitimate tool used by administrators to manage cloud resources. Huntress confirmed that the campaign compromised 78 accounts across 64 different organizations.
How the Attack Bypassed Multi Factor Authentication
The attackers exploited the Resource Owner Password Credentials (ROPC) OAuth flow. This authentication mechanism sends a password directly to the token endpoint without an interactive multi factor authentication (MFA) prompt. Many organizations had configured Conditional Access Policies for MFA that did not cover this specific authentication flow. Huntress noted several common misconfigurations, including applying MFA only to specific applications instead of all cloud apps, enforcing MFA only for administrators, requiring MFA only from untrusted locations, and using policies in report only mode. In some impacted organizations, there was no MFA policy at all. The activity originated from an IPv6 range belonging to LSHIY LLC (AS32167). Huntress reported a 155 fold increase in password spraying attacks, with organizations now averaging nearly 2,000 failed login attempts per tenant each month.
Source: BleepingComputer
