81 million login attempts later: how one campaign bypassed MFA across 64 organizations
What Huntress found
Between June 12 and June 26, 2026, Huntress observed a password-spraying campaign targeting Microsoft 365 environments that generated more than 81 million login attempts. By the end of the two-week window, 78 accounts across 64 organizations were compromised.
The infrastructure behind the campaign traces to an IPv6 range owned by LSHIY LLC (AS32167). Attribution beyond that is unclear.
The MFA bypass
Most defenders look at this headline, shrug, and say we have MFA. That is the wrong reaction.
The attacker authenticated via Microsoft's Azure command-line interface using the ROPC (Resource Owner Password Credentials) OAuth flow. ROPC is a legacy authentication mechanism that exchanges a username and password directly for a token, bypassing the interactive login flow where MFA prompts appear.
The attack worked because many organizations have Conditional Access policies that enforce MFA on browser sign-ins but leave ROPC uncovered. The attacker found valid credential pairs from past breach databases, tried them through Azure CLI via ROPC, and landed sessions with no MFA challenge.
How prevalent is this gap
Huntress reported a 155-fold increase in password-spraying activity year-over-year. The scale of this campaign is unusual, but the underlying technique is not new. ROPC has been exploitable for years. The credential pairs came from existing breach dumps.
What changed is the targeting: modern environments have more Azure CLI and DevOps tooling than ever, and those tools often depend on service accounts with ROPC-compatible policies that were never tightened after MFA rollout.
What to do
- Block ROPC in Conditional Access. Create a policy in Microsoft Entra that blocks legacy authentication for all users with no exceptions.
- Audit service accounts and app registrations for ROPC grants and rotate credentials for any that have it enabled.
- Enable Entra ID sign-in risk policies to flag anomalous authentication patterns, particularly high-volume attempts from single IP blocks or IPv6 ranges.
If you are running Microsoft 365 and have not explicitly blocked legacy authentication flows, assume this gap exists in your environment until you verify otherwise.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you want help auditing your Conditional Access posture.