Copilot-Header-image-no-type-no-logo

Microsoft 365 Password Spray Attacks: The Configuration Gaps That Let Them In

Microsoft 365 password spray attacks are still working against real business accounts.

A recent Computerworld Australia report covered a large automated campaign targeting Microsoft 365 users. The campaign reportedly involved more than 81 million login attempts and compromised 78 accounts across 64 organisations. The attackers used exposed credentials and targeted weaknesses in multifactor authentication and Conditional Access configurations.

The useful lesson is practical.

Password spray attacks do not need to break Microsoft 365. They only need to find the gaps between what an organisation believes is protected and what is actually enforced.

A brute force attack targets one account with many password attempts. It is noisy and usually triggers lockouts. A password spray attack works differently. The attacker takes one password, or a small set of common or exposed passwords, and tries it across many accounts. Then they wait. Then they try another.

The goal is to avoid lockout thresholds and blend into normal authentication noise.

In a Microsoft 365 environment, the target list is easy to build. Email addresses are public. Staff names appear on websites, LinkedIn, procurement documents, Teams invitations, breach dumps, and old directories. From there, the attack becomes a test of identity configuration.

Is MFA enforced for every user and authentication path? Are Conditional Access policies applied consistently? Are legacy authentication protocols blocked? Are risky sign-ins detected quickly?

A compromised Microsoft 365 account is rarely just an email problem.

For many organisations, Microsoft 365 is the front door to the business. One account can provide access to Outlook, Teams, SharePoint, OneDrive, calendars, internal files, customer conversations, invoices, HR records, supplier emails, and connected cloud applications.

An attacker can read email threads, search SharePoint, monitor Teams conversations, hide replies with inbox rules, forward mail, or send convincing phishing messages from a trusted internal account.

One successful login can create a path to fraud, data theft, business email compromise, and further cloud compromise.

Most successful Microsoft 365 password spray attacks do not rely on one failure. They rely on several small gaps aligning.

Many organisations say they have MFA. That can mean several things.

MFA may apply to administrators but not standard users. It may cover selected groups only. It may be skipped from trusted locations. It may not cover older authentication flows. It may be configured in report-only mode.

Attackers do not care whether MFA appears in a policy list. They care whether their login path actually triggers it.

Conditional Access is one of the most important controls in Microsoft Entra ID. It is also easy to misconfigure.

Policies can be scoped too narrowly, exclude risky groups, trust locations that are too broad, miss specific client apps, or remain in report-only mode. Identity controls need to be tested against real attack paths, not just reviewed as static settings.

Legacy authentication remains a major exposure point because it can bypass or weaken modern controls.

Older protocols and authentication flows were not designed for today’s threat environment. Some do not support MFA properly. Others allow attackers to test credentials without the prompts users and administrators expect to see.

Where possible, legacy authentication should be disabled. Developer or command-line access should also be restricted to users who genuinely need it.

Password spray attacks can generate thousands of failed logins. But the real priority is whether any password matched.

A single successful login after spray-like activity should trigger investigation. Monitoring should detect repeated failures across many accounts, successful logins from unfamiliar locations, unexpected client applications, inbox rule changes, unusual forwarding, and abnormal SharePoint, OneDrive, Teams, or mailbox activity.

Logging without response is record keeping, not protection.

Password spray risk can be reduced with focused configuration work:

🔶 Enforce MFA for all users, across all relevant cloud applications and client types. Keep exceptions rare, documented, and regularly reviewed.

🔶 Review Conditional Access end to end. Check scope, exclusions, trusted locations, client apps, device requirements, user risk, sign-in risk, and enforcement mode.

🔶 Disable legacy authentication wherever possible. Restrict risky authentication flows and developer-oriented access methods.

🔶 Improve identity hygiene. Remove stale accounts. Review guest users. Tighten privileged access. Check service accounts. Strengthen joiner, mover, and leaver processes.

🔶 Make sign-in monitoring actionable. Successful credential validation, suspicious client apps, inbox rule changes, unusual forwarding, and abnormal file access should all have a defined response process.

The latest password spray activity shows a familiar pattern.

Attackers are not always looking for sophisticated zero-days. Often, they are testing whether everyday cloud identity controls have been implemented completely. They know organisations rely on Microsoft 365. They know email addresses are easy to find. They know credentials are exposed in past breaches. They know MFA and Conditional Access are sometimes partial, inconsistent, or misconfigured.

That makes Microsoft 365 hardening a business priority, not just an IT hygiene task.

Tecala’s Cyber team helps organisations assess and strengthen their Microsoft 365 security posture across identity, Conditional Access, MFA, privileged access, monitoring, and incident response readiness.

The goal is simple. Make sure the controls that appear to be in place are actually protecting the accounts, applications, and data the business depends on.

👉 Use our contact form to request a Microsoft 365 Security Assessment and get a clear view of where improvements can be made.

blog

The Australian Government releases voluntary guardrails on AI safety standards

The Australian Government’s new Voluntary AI Safety Standard provide guidelines for the ethical and responsible development and use of Artificial Intelligence (AI).

blog

The Next Evolution of Automation: From RPA and BPM to the Rise of AI Agents

In this introductory post, we’ll explain the building blocks of modern automation (RPA, BPM/BPA, ESB, IA, DPA, and iPaaS) and show you how they converge into Agentic Process Automation (APA) before finally advancing to AI Agents.