Campaign Launches 81 Million Password Spray Attempts Against Microsoft 365 Tenants

Huntress researchers observed a password spraying campaign that used valid credentials from past breaches and an OAuth flaw to compromise 78 Microsoft 365 accounts across 64 organizations.

CSBadmin
2 Min Read

A Two Week Barrage of Login Attempts

A large scale password spraying campaign targeted Microsoft 365 environments, generating over 81 million login attempts in a two week period from June 12 to June 26. Researchers at Huntress observed the activity targeting their customers and identified that the attackers used credential pairs exposed in prior breaches. The threat actor authenticated via the Microsoft Azure command line interface, which is a legitimate tool used by administrators to manage cloud resources. Huntress confirmed that the campaign compromised 78 accounts across 64 different organizations.

How the Attack Bypassed Multi Factor Authentication

The attackers exploited the Resource Owner Password Credentials (ROPC) OAuth flow. This authentication mechanism sends a password directly to the token endpoint without an interactive multi factor authentication (MFA) prompt. Many organizations had configured Conditional Access Policies for MFA that did not cover this specific authentication flow. Huntress noted several common misconfigurations, including applying MFA only to specific applications instead of all cloud apps, enforcing MFA only for administrators, requiring MFA only from untrusted locations, and using policies in report only mode. In some impacted organizations, there was no MFA policy at all. The activity originated from an IPv6 range belonging to LSHIY LLC (AS32167). Huntress reported a 155 fold increase in password spraying attacks, with organizations now averaging nearly 2,000 failed login attempts per tenant each month.

Source: BleepingComputer

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.