Iklan Atas Artikel

81 million login attempts - Mass attack on Microsoft accounts

Researchers are warning of a new wave of attacks targeting Microsoft 365 accounts. The attackers are testing login credentials en masse, sometimes successfully.

81 million login attempts - Mass attack on Microsoft accounts

Security researchers at Huntress have observed an attack campaign in which attackers attempt to log into other people's Microsoft accounts using password spraying, i.e., by systematically trying previously leaked login credentials. More than 81 million login attempts were made between June 12th and 26th alone. At least 78 accounts are believed to have been successfully compromised.

According to reports, the attackers are targeting Microsoft 365 environments. They are using the Microsoft Azure CLI (Command-Line Interface) to carry out their attacks. Relevant complaints and discussions from affected administrators can be found on Reddit, among other platforms.

It is still unclear who exactly is behind the attack. However, according to Huntress, the source of the login attempts is the Autonomous System AS32167 and an IPv6 address range assigned to a provider called LSHIY LLC. Some of the IP addresses used were located in the USA, but most were in China.

Vulnerable MFA configurations

According to the report, the attackers are using, among other things, the ROPC (Resource Owner Password Credentials) process of OAuth 2.0 for password spraying, as Microsoft states in the associated documentation. As clarified, this is considered outdated and should no longer be used because it does not support multi-factor authentication (MFA).

According to the researchers, the affected companies often had inadequate MFA policies. Some had enabled MFA for Microsoft accounts but hadn't considered the ROPC process. In some cases, MFA was only enforced for untrusted IP address ranges or for specific apps or user groups (such as administrators).

Data from old data leaks

Many applications and users remained vulnerable due to these configuration errors. Attackers then needed only a valid username and password combination to achieve a successful login. In the campaign observed by Huntress, they tested a massive number of login credentials that had been contained in previous data leaks and had not been changed since.

Against this backdrop, the Huntress researchers recommend enforcing MFA for all users and apps and blocking ROPC processes. They also recommend restricting non-administrators from using the Azure CLI.

This is not the first password-spraying attack targeting Microsoft 365 users. In early 2025, researchers at SecurityScorecard warned of a botnet comprising 130,000 compromised devices used for similar attacks.

0 Response to "81 million login attempts - Mass attack on Microsoft accounts"

Post a Comment

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel