Microsoft 365 users fall victim to one-in-a-million password spray attack
Summary
Microsoft 365 users were targeted by a large-scale password spray attack involving 81 million login attempts over two weeks, resulting in at least 78 successful compromises. Attackers exploited the OAuth ROPC flow by replaying validated credentials, bypassing MFA configurations that were not universally applied to all cloud apps or user groups.
IFF Assessment
This attack demonstrates a successful method for bypassing MFA, posing a significant threat to Microsoft 365 users and highlighting a weakness in common security configurations.
Defender Context
This incident highlights the continued risk of password spray attacks, even against cloud services with MFA. Defenders should ensure MFA is universally applied to all cloud applications and user groups, and monitor for unusual login patterns originating from suspicious IP addresses.