An aggressive password-spraying campaign threw more than 81 million login attempts at Microsoft 365 tenants over a two-week window in late June, as reported by BleepingComputer. The attackers worked through usernames and passwords leaked in old breaches, then signed in via an outdated authentication method (ROPC) that skips the MFA prompt entirely. Security firm Huntress confirmed 78 accounts were compromised across 64 organisations.
Here’s the uncomfortable bit: most of the victims had MFA. It was switched on, but not enforced everywhere — applied to some apps but not all, to admins but not staff, only from “untrusted” locations, or left sitting in report-only mode. We see the same gaps regularly in Australian tenants we review: a Conditional Access policy someone set up two years ago and never enforced, or a legacy sign-in method kept alive so the office copier can scan to email. Attackers don’t pick the locked front door — they walk around to the side entrance you forgot about.
What to do: ask whoever manages your Microsoft 365 to confirm MFA applies to all users and all cloud apps, block legacy authentication and ROPC, and review sign-in logs for anything unusual between 12 and 26 June. This is under an hour’s work.
Not sure how your tenant is set up? Our Microsoft 365 team checks for this exact misconfiguration as part of every security review — it’s one of the most common gaps we find.
Related Guide
Cybersecurity for Sydney SMBs
Explore our complete guide to protecting your business from cyber threats.
