Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Microsoft 365 Under Attack: 81 Million Login Attempts Recorded

Microsoft 365 Under Attack: 81 Million Login Attempts Recorded

Posted on July 1, 2026 By CWS

A recent large-scale cyber attack has been identified, targeting Microsoft 365 users through an automated password spray campaign. This attack exploits vulnerabilities in Microsoft’s Azure Command-Line Interface (CLI) and legacy OAuth flows, compromising Entra ID accounts despite the presence of multi-factor authentication (MFA).

Massive Login Attempts and Compromised Accounts

The cybersecurity firm Huntress is monitoring a significant increase in password-and-token spray activities aimed at Microsoft 365 and Azure CLI logins. Between June 12 and June 26, 2026, more than 81 million login attempts were recorded against Huntress’s customer tenants, resulting in the compromise of at least 78 accounts within 64 organizations.

Initial daily account compromises were relatively low, ranging from two to four, but saw a dramatic rise to 30 user identities across 23 businesses on June 22. This surge marks a significant escalation in the attack campaign.

Broader Trends and Attack Tactics

Huntress reports a 155-fold increase in credential spray volume over the past six months, with a current mean of approximately 1,964 failed attempts per tenant monthly. Attackers are opportunistically targeting credentials from previous breaches rather than focusing on specific industries.

The majority of attack traffic originates from the IPv6 range 2a0a:d683::/32, linked to the internet infrastructure provider LSHIY LLC. This company is associated with addresses in Hong Kong, Wuhan, and a shared office in New York, complicating efforts to trace their true operational base.

Exploiting Weaknesses in Authentication

The attackers exploit the OAuth Resource Owner Password Credentials (ROPC) flow by replaying previously breached credentials. This flow, deprecated in OAuth 2.1, allows attackers to bypass MFA by not requiring an interactive authorization step.

Huntress identified critical configuration gaps in many impacted tenants’ MFA and Conditional Access Policies (CAP). These include limiting MFA to specific apps or groups, misconfigured geolocation, and report-only policies that fail to enforce security controls.

Mitigation Strategies and Recommendations

Security experts, including Huntress, recommend treating Azure CLI and ROPC as high-risk areas, requiring adjustments to CAP configurations. Organizations should enforce MFA across all users and applications, block access where necessary, and ensure strong client-level authentication.

Disabling legacy grants and tightening named locations are crucial steps in enhancing security. Continuous testing of CAP behavior using tools like Microsoft’s “What If” simulator can help detect and correct policy weaknesses.

By implementing these measures, organizations can better protect against such large-scale cyber threats and secure their Microsoft 365 environments.

Cyber Security News Tags:authentication protocols, Azure CLI, CAP, cloud security, credential spray, cyber threats, Cybersecurity, Huntress, identity protection, LSHIY LLC, Microsoft 365, multi-factor authentication, password attack, ROPC

Post navigation

Previous Post: Microsoft Enhances Teams Security to Block Unauthorized AI Bots
Next Post: Vulnerability in Argo CD Allows Kubernetes Cluster Takeover

Related Posts

Critical Vulnerabilities Expose Node.js vm2 to Code Execution Critical Vulnerabilities Expose Node.js vm2 to Code Execution Cyber Security News
Gunra Ransomware Expands Global RaaS Operations Gunra Ransomware Expands Global RaaS Operations Cyber Security News
Red Hat npm Packages Breached by Credential-Stealing Malware Red Hat npm Packages Breached by Credential-Stealing Malware Cyber Security News
GitHub Security Breach: Internal Repositories Compromised GitHub Security Breach: Internal Repositories Compromised Cyber Security News
Microsoft Addresses Critical Defender Vulnerability Microsoft Addresses Critical Defender Vulnerability Cyber Security News
Google Urgently Updates Chrome to Fix Exploited Flaws Google Urgently Updates Chrome to Fix Exploited Flaws Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Teen Hacker Extradited to U.S. for Cybercrime Charges
  • Tackling Alert Fatigue: Boost SOC Efficiency with Smart Strategies
  • Vulnerability in Argo CD Allows Kubernetes Cluster Takeover
  • Microsoft 365 Under Attack: 81 Million Login Attempts Recorded
  • Microsoft Enhances Teams Security to Block Unauthorized AI Bots

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Teen Hacker Extradited to U.S. for Cybercrime Charges
  • Tackling Alert Fatigue: Boost SOC Efficiency with Smart Strategies
  • Vulnerability in Argo CD Allows Kubernetes Cluster Takeover
  • Microsoft 365 Under Attack: 81 Million Login Attempts Recorded
  • Microsoft Enhances Teams Security to Block Unauthorized AI Bots

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark