Hackers Target Microsoft 365 With 81 Million Login Attempts | Sync Up

258

MFA is supposed to make stolen passwords harder to use, but that protection depends on how it is set up. This week, we’re looking at a Microsoft 365 password-spraying campaign that put those settings to the test more than 81 million times, as we sit down and sync up with Rocket IT’s weekly technology update.

In this episode, you’ll hear more about:

  • How a Microsoft 365 password-spraying campaign generated more than 81 million login attempts.
  • Why attackers use old or previously exposed passwords across many accounts.
  • How MFA settings can miss certain users, apps, locations, or sign-in paths.
  • Why Conditional Access policies need to be reviewed and fully enforced.
  • What Microsoft 365 users and organizations can do to strengthen account security.

Video Transcript

Researchers at cybersecurity company Huntress observed a large password-spraying campaign targeting Microsoft 365 accounts between June 12 and June 26, 2026.

Now, password spraying is a little different from someone repeatedly trying to break into one account. Instead, attackers take commonly used passwords, or passwords that have already been exposed in previous breaches, and test them across a large number of accounts.

The idea is simple. Rather than making hundreds of attempts against one person and setting off obvious alerts, attackers spread those attempts across many users and organizations. In this case, the attackers appeared to be using username and password combinations that had been exposed before but were never changed.

Now, you might think multi-factor authentication would keep those accounts secure, even if the login credentials were stolen. But there was a catch.

Attackers were not just trying to sign in through a normal Microsoft 365 login page. They attempted to authenticate through Microsoft’s Azure command-line interface, which is a tool typically used by administrators to manage cloud resources.

That matters because, in some environments, this specific sign-in path was not covered by the organization’s multi-factor authentication settings.

Huntress found that some affected organizations had MFA turned on, but only for certain users, certain applications, or certain locations. Others had policies sitting in report-only mode, which means the rule could observe what was happening but would not actually block or challenge the sign-in.

So, for someone trying to protect their account or business, this story is less about whether MFA exists and more about whether it is protecting the right areas.

For many of us, once MFA is enabled, it is easy to assume the job is done. But attackers are often looking for the gaps that get missed. The account that still has an old password. The user who is not included in the policy. The app that was not covered. Or the setting that was configured but never fully enforced.

Even though most of the 81 million login attempts failed, the campaign still led to confirmed account compromises. And at that scale, attackers do not need a high success rate. They only need a few openings.

For Microsoft 365 users, this is a good reminder to use strong, unique passwords and change any that may have been exposed in the past. It is also worth paying attention to unexpected sign-in alerts, MFA prompts, or account activity that does not look familiar.

For organizations, the bigger takeaway is to review how account security is actually configured. MFA and Conditional Access are powerful tools, but they work best when they are applied broadly, enforced properly, and checked regularly as threats change.

This is where having the right IT partner matters. Rocket IT helps businesses strengthen Microsoft 365 environments by reviewing account security settings, identifying configuration gaps, and making sure protections like MFA and Conditional Access are doing what they are supposed to do.

For help, reach out using the link in this video’s description. And to stay up to date on trending technology news, hit that subscribe button and the bell to catch us on next week’s episode of Sync Up with Rocket IT.

Related Posts

Subscribe to Rocket IT's Newsletter

Stay up to date on trending technology news and important updates.

CTA2

Find out if Rocket IT is the right partner for your team

Claim a free consultation with a technology expert.

Fed up with IT support that falls short?

Claim a free 30-minute consultation and explore three key practices to evaluate the maturity of your help desk.