A spray, not a breakthrough

The security firm Huntress disclosed a password-spraying campaign that ran from 12 to 26 June 2026, peaking on 22 June, in which more than 81 million login attempts were aimed at Microsoft 365 accounts. The traffic came from an IPv6 range registered to a single operator, and the attackers were not guessing passwords blind. They were replaying username and password pairs harvested from earlier, unrelated breaches, betting that people reuse credentials across services. Out of that flood, 78 accounts were compromised across 64 organisations.

What makes this notable is the absence of anything exotic. There was no zero-day, no clever malware, no supply-chain trick. It was volume plus reused credentials plus one weak authentication path. That combination is available to any commodity attacker, which is exactly why it is worth an owner's attention: the technique is cheap, repeatable, and aimed at the identity layer that most businesses assume they have already secured with multi-factor authentication.

How the logins got past MFA

The mechanism was a legacy sign-in path. The attackers authenticated through Azure command-line tooling using the Resource Owner Password Credentials flow, known as ROPC, an older OAuth method that accepts a username and password directly and, in many tenants, does not trigger a multi-factor prompt at all. Where a tenant had MFA switched on but scoped narrowly, the reused credentials walked straight through the gap. Huntress found the same misconfigurations again and again: MFA applied only to selected applications, MFA enforced only for administrator groups, MFA required only from untrusted locations, and Conditional Access policies left in report-only mode where they log but never block.

The non-obvious lesson is that MFA is not a switch, it is a coverage map. A tenant can pass an audit that asks whether MFA exists and still leave a legacy door unlocked. The attackers did not defeat multi-factor authentication; they found the sign-ins where it was never being asked for. That distinction is the whole story, and it is invisible unless someone checks which authentication paths a tenant still allows.

The half-hour that closes the gap

This is a configuration problem with a configuration answer, and most of it is a short administrative session rather than a purchase. Block legacy authentication and disable the ROPC flow, so username-and-password sign-ins that skip MFA are simply refused. Enforce multi-factor authentication across every application and every sign-in, not just admin accounts or untrusted locations, and move Conditional Access out of report-only into active blocking. Then check the sign-in logs for the failed-spray pattern and reset any credential that a past breach may have exposed.

For a European business there is a second reason to move quickly. If reused credentials open a mailbox holding personal data, the incident can trigger a notification duty under the GDPR within 72 hours, so a quiet identity gap can become a reportable event and a regulator conversation. The cost of closing the door is an afternoon of configuration; the cost of leaving it open is measured in disclosure obligations and lost trust. Treat the identity layer as the perimeter it has become.