An aggressive password-spraying campaign targeting Microsoft 365 environments generated more than 81 million login attempts over a two-week period.
The threat actor tried to authenticate via Microsoft's Azure command-line interface (CLI) using still valid username and password combinations that had been exposed in past breaches.
Microsoft's Azure CLI is used for managing Azure cloud resources, enabling administrators to manage virtual machines, deploy applications, manage databases, and automate cloud operations.
Once a valid pair was found, the hacker authenticated via the ROPC (Resource Owner Password Credentials) OAuth mechanism, bypassing multi-factor authentication (MFA) in many environments due to insecure Conditional Access policies.
Managed cybersecurity company Huntress observed the campaign targeting its customers between June 12 and 26 and confirmed that the threat actor compromised 78 Microsoft accounts across 64 organizations.
Activity peak on June 22
Source: Huntress
“Many of the compromised businesses had implemented multi-factor authentication (MFA) via a Conditional Access Policy (CAP), but the MFA was not configured to cover this specific flow that attackers used,” Huntress explains.
“ROPC is considered problematic for several reasons, but one of those reasons is that it doesn't offer support for modern auth flows like MFA or SSO.”
“That means, as we saw in this campaign, ROPC sends the password straight to the /token endpoint with no interactive MFA prompt.”
... continue reading