Massive Microsoft 365 password spray attack exposed
🔒 Microsoft users experienced a large-scale automated password spray campaign that targeted accounts indiscriminately, including clients of security firm Huntress. Huntress reported 81 million login attempts against its customers between June 12 and 26, with at least 78 successful compromises. Attack traffic originated from an IPv6 range tied to LSHIY LLC, which has since cut service to the offending customer. The attackers abused the OAuth ROPC flow to replay valid credentials, bypassing protections where MFA was not enforced for all cloud apps or all user groups.