A widespread attack campaign in June 2026 saw hackers launch over 81 million login attempts on Microsoft 365 accounts, exploiting an OAuth flow vulnerability and improperly set Conditional Access policies to bypass multi-factor authentication protections.

  • 81 million login attempts hit Microsoft 365 over two weeks
  • Attackers abused OAuth ROPC flow to bypass multi-factor authentication
  • 78 accounts compromised due to misconfigured Conditional Access policies

What happened

Between June 12 and 26, 2026, hackers conducted a highly aggressive password spraying campaign targeting Microsoft 365 accounts. They attempted over 81 million logins using previously leaked credentials. By abusing the OAuth Resource Owner Password Credentials (ROPC) flow through Azure CLI commands, the attackers circumvented multi-factor authentication protections in place.

Investigations revealed that many organizations had Conditional Access policies configured in such a way that MFA was not enforced on this specific authentication path. This allowed attackers to send passwords directly to the token endpoint without triggering MFA prompts, resulting in 78 Microsoft accounts across 64 organizations being successfully compromised.

Why it matters

The attack highlights critical vulnerabilities in the implementation of Conditional Access policies and the dangers of relying on the ROPC OAuth flow, which does not support modern authentication methods such as MFA or single sign-on. Improper configuration can lead to security gaps, even when MFA is nominally enabled, putting corporate environments at risk.

Organizations that only enforced MFA under certain conditions — such as specific user groups, untrusted IP addresses, or set it to report-only mode — remained vulnerable to these attacks. The breach not only exposes sensitive data but also increases the risk of further compromise through access to cloud services and internal resources.

What to watch next

Security teams should urgently review and update their Conditional Access policies to cover all authentication methods, including legacy OAuth flows like ROPC. Disabling or restricting the use of ROPC where possible and ensuring MFA enforcement across all login paths is critical to mitigate similar attacks in the future.

Continuous monitoring for unusual login patterns and implementing additional safeguards such as conditional access based on device compliance and location will enhance resilience. The attack also underscores the importance of regular credential hygiene, including password resets and the use of threat intelligence to identify compromised accounts.

Source assisted: This briefing began from a discovered source item from TechRadar. Open the original source.
How SignalDesk reports: feeds and outside sources are used for discovery. Public briefings are edited to add context, buyer relevance and attribution before they are published. Read the standards

Related briefings