Microsoft 365 password spray attacks are still working against real business accounts.
A recent Computerworld Australia report covered a large automated campaign targeting Microsoft 365 users. The campaign reportedly involved more than 81 million login attempts and compromised 78 accounts across 64 organisations. The attackers used exposed credentials and targeted weaknesses in multifactor authentication and Conditional Access configurations.
The useful lesson is practical.
Password spray attacks do not need to break Microsoft 365. They only need to find the gaps between what an organisation believes is protected and what is actually enforced.
How password spray works
A brute force attack targets one account with many password attempts. It is noisy and usually triggers lockouts. A password spray attack works differently. The attacker takes one password, or a small set of common or exposed passwords, and tries it across many accounts. Then they wait. Then they try another.
The goal is to avoid lockout thresholds and blend into normal authentication noise.
In a Microsoft 365 environment, the target list is easy to build. Email addresses are public. Staff names appear on websites, LinkedIn, procurement documents, Teams invitations, breach dumps, and old directories. From there, the attack becomes a test of identity configuration.
Is MFA enforced for every user and authentication path? Are Conditional Access policies applied consistently? Are legacy authentication protocols blocked? Are risky sign-ins detected quickly?
If the answer is unclear, password spray becomes a viable entry point.
Why Microsoft 365 is such a valuable target
A compromised Microsoft 365 account is rarely just an email problem.
For many organisations, Microsoft 365 is the front door to the business. One account can provide access to Outlook, Teams, SharePoint, OneDrive, calendars, internal files, customer conversations, invoices, HR records, supplier emails, and connected cloud applications.
An attacker can read email threads, search SharePoint, monitor Teams conversations, hide replies with inbox rules, forward mail, or send convincing phishing messages from a trusted internal account.
One successful login can create a path to fraud, data theft, business email compromise, and further cloud compromise.
The configuration gaps that let password spray succeed
Most successful Microsoft 365 password spray attacks do not rely on one failure. They rely on several small gaps aligning.
MFA is enabled, but not enforced everywhere
Many organisations say they have MFA. That can mean several things.
MFA may apply to administrators but not standard users. It may cover selected groups only. It may be skipped from trusted locations. It may not cover older authentication flows. It may be configured in report-only mode.
Attackers do not care whether MFA appears in a policy list. They care whether their login path actually triggers it.
Conditional Access has blind spots
Conditional Access is one of the most important controls in Microsoft Entra ID. It is also easy to misconfigure.
Policies can be scoped too narrowly, exclude risky groups, trust locations that are too broad, miss specific client apps, or remain in report-only mode. Identity controls need to be tested against real attack paths, not just reviewed as static settings.
Legacy authentication is still available
Legacy authentication remains a major exposure point because it can bypass or weaken modern controls.
Older protocols and authentication flows were not designed for today’s threat environment. Some do not support MFA properly. Others allow attackers to test credentials without the prompts users and administrators expect to see.
Where possible, legacy authentication should be disabled. Developer or command-line access should also be restricted to users who genuinely need it.
Monitoring is too reactive
Password spray attacks can generate thousands of failed logins. But the real priority is whether any password matched.
A single successful login after spray-like activity should trigger investigation. Monitoring should detect repeated failures across many accounts, successful logins from unfamiliar locations, unexpected client applications, inbox rule changes, unusual forwarding, and abnormal SharePoint, OneDrive, Teams, or mailbox activity.
Logging without response is record keeping, not protection.
Priority fixes
Password spray risk can be reduced with focused configuration work:
🔶 Enforce MFA for all users, across all relevant cloud applications and client types. Keep exceptions rare, documented, and regularly reviewed.
🔶 Review Conditional Access end to end. Check scope, exclusions, trusted locations, client apps, device requirements, user risk, sign-in risk, and enforcement mode.
🔶 Disable legacy authentication wherever possible. Restrict risky authentication flows and developer-oriented access methods.
🔶 Improve identity hygiene. Remove stale accounts. Review guest users. Tighten privileged access. Check service accounts. Strengthen joiner, mover, and leaver processes.
🔶 Make sign-in monitoring actionable. Successful credential validation, suspicious client apps, inbox rule changes, unusual forwarding, and abnormal file access should all have a defined response process.
The lesson
The latest password spray activity shows a familiar pattern.
Attackers are not always looking for sophisticated zero-days. Often, they are testing whether everyday cloud identity controls have been implemented completely. They know organisations rely on Microsoft 365. They know email addresses are easy to find. They know credentials are exposed in past breaches. They know MFA and Conditional Access are sometimes partial, inconsistent, or misconfigured.
That makes Microsoft 365 hardening a business priority, not just an IT hygiene task.
Tecala’s Cyber team helps organisations assess and strengthen their Microsoft 365 security posture across identity, Conditional Access, MFA, privileged access, monitoring, and incident response readiness.
The goal is simple. Make sure the controls that appear to be in place are actually protecting the accounts, applications, and data the business depends on.
Unsure whether your Microsoft 365 security controls are configured correctly?
👉 Use our contact form to request a Microsoft 365 Security Assessment and get a clear view of where improvements can be made.