Password‑Spraying Campaign Compromises 78 Microsoft 365 Accounts Across 64 Organizations
What Happened — Over a two‑week period, threat actors launched a password‑spraying attack against Microsoft 365 tenants, generating more than 81 million login attempts. Using exposed username/password pairs, they authenticated via Azure CLI’s ROPC flow, bypassing MFA where Conditional Access policies were mis‑configured. Huntress confirmed 78 compromised accounts in 64 organizations.
Why It Matters for Compliance & Audit Readiness
- Demonstrates a failure to enforce SOC 2 CC6.1 (Logical Access) controls: MFA was not universally applied or was excluded for the ROPC flow.
- Highlights the need for continuous evidence that Conditional Access policies are correctly scoped and enforced, a key audit artifact for SOC 2 readiness.
- Provides a real‑world example of why security‑awareness training and credential‑hygiene programs must be documented and regularly tested.
Who Is Affected – Primarily SaaS‑focused enterprises (technology, professional services, finance) that rely on Microsoft 365 for collaboration and cloud resource management.
Recommended Actions –
- Review and tighten Conditional Access policies: enforce MFA for All Cloud Apps and for All Users, not just privileged groups.
- Disable or restrict the ROPC OAuth flow; require modern authentication methods that support MFA/SSO.
- Implement credential‑reuse detection and automated password‑spray alerts in your SIEM.
- Document policy changes and monitoring results as audit evidence for SOC 2 CC6.1.
Source: BleepingComputer
Technical Notes – Attack vector: password‑spraying using leaked credentials; exploited the Resource Owner Password Credentials (ROPC) OAuth grant, which bypasses MFA when Conditional Access is not comprehensive. No specific CVE; the issue is a misconfiguration of authentication flows. Source: same as above