Overview
- The automated campaign made more than 81 million login attempts between June 12 and June 26 and resulted in at least 78 compromised Microsoft accounts across 64 organizations.
- Attackers relied on the deprecated OAuth Resource Owner Password Credentials (ROPC) flow, which sends usernames and passwords directly to the token endpoint and does not support interactive MFA or single sign-on.
- Because ROPC does not trigger modern MFA prompts, logins succeeded when Conditional Access was scoped only to certain apps, groups, locations, or client types, and eight impacted businesses had no MFA policy at all.
- Huntress traced most of the traffic to an IPv6 range (2a0a:d683::/32) tied to LSHIY (AS32167), reported the abuse to the provider, and said it received no response.
- Researchers warn admins to rotate breached credentials, require MFA for all users and all cloud and client app types, block legacy auth like ROPC, and limit Azure CLI access for non-admins to prevent further compromises.