Inside the Credential Spray Hitting Microsoft 365
Failed to add items
Add to basket failed.
Add to wishlist failed.
Remove from wishlist failed.
Adding to library failed
Follow podcast failed
Unfollow podcast failed
-
Narrated by:
-
By:
This week we're digging into a Huntress report that came out on June 30th, updated just a couple days ago on July 2nd a large-scale password spray campaign that hit Microsoft 365 environments through Azure CLI. Between June 12th and June 26th, Huntress tracked more than 81 million login attempts, leading to at least 78 compromised accounts across 64 organizations.
What makes this one worth a full conversation isn't just the volume it's that a lot of the businesses hit already had Conditional Access policies and MFA in place. The attackers got in anyway, by using a deprecated OAuth flow called ROPC that quietly sidesteps MFA if your policy isn't scoped correctly. So this is really a story about the gap between "MFA is turned on" and "MFA is actually enforced everywhere it needs to be."
Andrew “Spike” Brandt, Principal Threat Intelligence, Incident Commander at Huntress, sat down with us to unpack what happened, why it worked, and what to actually go check in your own client environments this week.