CISOOnline

Microsoft 365 users fall victim to one-in-a-million password spray attack

The attacks all came from a single source, an IPv6 address range controlled by internet provider LSHIY LLC, Huntress said in a blog post. LSHIY has since terminated access for the customer using the IP addresses involved in the attack.

Huntress had been monitoring spray attacks for some time and had noticed a slight increase from June 12, and then a sudden spike on June 22 when 30 of its customers were affected.

The attackers replayed validated credentials via the OAuth ROPC (Resource Owner Password Credentials) flow. This takes a username/password at the /token endpoint for a tenant and mints a new user-delegated token, once provided with the correct credentials. This was possible because multi-factor authentication (MFA) had not been configured to handle the techniques deployed by the attackers.



Source link