HomeIntelligenceBrief
BREACH BRIEF🟠 High Breach

Password‑Spraying Campaign Compromises 78 Microsoft 365 Accounts Across 64 Organizations

Hackers generated 81 million login attempts against Microsoft 365, using leaked credentials and the ROPC OAuth flow to bypass MFA, compromising 78 accounts in 64 firms. The incident underscores the importance of robust access‑control policies and continuous audit evidence for SOC 2 readiness.

LiveThreat™ Intelligence · 📅 July 02, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
BR
Type
Breach
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
bleepingcomputer.com

Password‑Spraying Campaign Compromises 78 Microsoft 365 Accounts Across 64 Organizations

What Happened — Over a two‑week period, threat actors launched a password‑spraying attack against Microsoft 365 tenants, generating more than 81 million login attempts. Using exposed username/password pairs, they authenticated via Azure CLI’s ROPC flow, bypassing MFA where Conditional Access policies were mis‑configured. Huntress confirmed 78 compromised accounts in 64 organizations.

Why It Matters for Compliance & Audit Readiness

  • Demonstrates a failure to enforce SOC 2 CC6.1 (Logical Access) controls: MFA was not universally applied or was excluded for the ROPC flow.
  • Highlights the need for continuous evidence that Conditional Access policies are correctly scoped and enforced, a key audit artifact for SOC 2 readiness.
  • Provides a real‑world example of why security‑awareness training and credential‑hygiene programs must be documented and regularly tested.

Who Is Affected – Primarily SaaS‑focused enterprises (technology, professional services, finance) that rely on Microsoft 365 for collaboration and cloud resource management.

Recommended Actions

  • Review and tighten Conditional Access policies: enforce MFA for All Cloud Apps and for All Users, not just privileged groups.
  • Disable or restrict the ROPC OAuth flow; require modern authentication methods that support MFA/SSO.
  • Implement credential‑reuse detection and automated password‑spray alerts in your SIEM.
  • Document policy changes and monitoring results as audit evidence for SOC 2 CC6.1.

Source: BleepingComputer

Technical Notes – Attack vector: password‑spraying using leaked credentials; exploited the Resource Owner Password Credentials (ROPC) OAuth grant, which bypasses MFA when Conditional Access is not comprehensive. No specific CVE; the issue is a misconfiguration of authentication flows. Source: same as above

📰 Original Source
https://www.bleepingcomputer.com/news/security/hackers-target-microsoft-365-accounts-with-81-million-login-attempts/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Could you prove your access controls held up here?

Credential and access failures map directly to SOC 2 access-control criteria. The Verisq AI Trust Operations platform shows where your evidence is thin before an auditor — or an attacker — finds out.

Explore the Verisq AI Trust Operations platform →