Inside the Credential Spray Hitting Microsoft 365 cover art

Inside the Credential Spray Hitting Microsoft 365

Inside the Credential Spray Hitting Microsoft 365

Listen for free

View show details

This week we're digging into a Huntress report that came out on June 30th, updated just a couple days ago on July 2nd a large-scale password spray campaign that hit Microsoft 365 environments through Azure CLI. Between June 12th and June 26th, Huntress tracked more than 81 million login attempts, leading to at least 78 compromised accounts across 64 organizations.

What makes this one worth a full conversation isn't just the volume it's that a lot of the businesses hit already had Conditional Access policies and MFA in place. The attackers got in anyway, by using a deprecated OAuth flow called ROPC that quietly sidesteps MFA if your policy isn't scoped correctly. So this is really a story about the gap between "MFA is turned on" and "MFA is actually enforced everywhere it needs to be."

Andrew “Spike” Brandt, Principal Threat Intelligence, Incident Commander at Huntress, sat down with us to unpack what happened, why it worked, and what to actually go check in your own client environments this week.

adbl_web_anon_alc_button_suppression_t1
No reviews yet