81 Million Login Attempts: A Massive Password Spray Attack Hit Microsoft 365 Users

Criminals hammered Microsoft accounts with automated login attempts for two weeks. At least 78 accounts were broken into — and many victims had multi-factor authentication switched on, just not set up correctly.

ThreatVectr Newsdesk· 3 min read
Extreme close-up of a server rack's blinking status lights in a darkened data centre, rows of ethernet cables in cool blue and amber tones, shallow depth of fie
Share

Key points

  • Between June 12 and 26, 2025, criminals made 81 million automated attempts to break into Microsoft accounts belonging to customers of security firm Huntress.
  • At least 78 accounts were successfully broken into during the two-week attack window.
  • Every attempt came from a single block of internet addresses controlled by a provider called LSHIY LLC, which has since cut off the customer responsible.
  • Attackers used a specific Microsoft login method called OAuth ROPC — explained below — to slip past some multi-factor authentication setups.
  • Many victims had multi-factor authentication turned on, but it was configured too narrowly to block the method the criminals actually used.

Security company Huntress was watching closely when the attack began, first reported by CSO Online. A slow rise in suspicious login attempts started on June 12. Then, on June 22, the volume exploded — 30 Huntress customers were hit in a single day.

Eighty-one million attempts. That number sounds almost abstract. Think of it as a robot sitting at a keyboard, trying a different password every fraction of a second, every hour, for fourteen days, against accounts belonging to real businesses.

This technique is called a password spray attack. Instead of hammering one account with thousands of guesses — which triggers lockouts — attackers try one or two common passwords against millions of different accounts. It flies under the radar. It is boring, methodical, and it works.

How did the hackers get past multi-factor authentication?

Many targeted organisations did have multi-factor authentication — the system that sends a second verification step, like a text message or app prompt, before letting someone log in — switched on. That should have stopped this cold. It didn't, because of a gap in how it was set up.

The criminals used something called the OAuth ROPC flow. OAuth is the standard that lets apps request access to your account; ROPC, which stands for Resource Owner Password Credentials, is an older part of that standard where an app hands a username and password directly to Microsoft's login server and gets back an access token — a kind of temporary digital key — in return. No browser pop-up. No second-factor prompt.

Some organisations had set their multi-factor authentication rules to cover only certain apps — Microsoft's admin portals, for example — but not every possible login route. The ROPC method came in through a different door: the Azure command-line tool, a text-based way of managing Microsoft services. That door was unguarded.

Others had restricted multi-factor authentication to administrators only. Ordinary staff accounts were outside that policy's scope. Those are the accounts that got taken.

If you are a business owner or IT manager using Microsoft 365 — Microsoft's suite of office and email tools — check that your multi-factor authentication policy applies to All Cloud Apps, not a named list. A named list has gaps. Gaps get found.

If you are an employee who received an unexpected account-activity alert or a login notification from somewhere unfamiliar between June 12 and 26, report it to your IT team now. Change your password. A suspicious notification is not nothing.

© 2026 Threat Vectr