Between 12 and 26 June 2026, a single campaign generated more than 81 million sign-in attempts against Microsoft 365 tenants, compromising at least 78 accounts across 64 organisations before the activity from the identified infrastructure stopped on 2 July. The numbers, documented by Huntress, are striking; the method is the actual story. The attackers authenticated through Azure CLI using the Resource Owner Password Credentials (ROPC) flow — a deprecated OAuth 2.0 grant in which the application collects username and password directly and exchanges them for a token, with no interactive sign-in page, no MFA prompt, and in many tenant configurations no Conditional Access evaluation. Fifteen of the breached organisations had MFA implemented and enforced. It did not matter, because the policy never saw the sign-in. For Swiss organisations — where Microsoft 365 and Entra ID form the identity backbone of most enterprises — this campaign is less a threat bulletin than a free penetration test report, and the findings apply to any tenant that has never explicitly hunted down its legacy authentication paths.
Why ROPC Slips Past Controls That Look Complete
ROPC exists for a world that predates modern identity: an application takes the user's credentials and trades them for a token server-to-server. Because the credential exchange bypasses the identity provider's interactive flow, there is no page into which an MFA challenge can be injected — and Conditional Access policies scoped to interactive sign-ins or to specific applications simply do not fire. Huntress's breach data reads like a catalogue of exactly these scoping mistakes: MFA policies applied to named apps instead of all cloud apps, policies covering only administrators, trusted-location exceptions that waived MFA from "known" networks, and policies drafted correctly but left in report-only mode. Each of these looks defensible on a compliance checklist. Each leaves the ROPC door open.
The campaign's credential source is the second lesson. The attackers sprayed old username-password pairs from historical breach corpora — credentials that had never been rotated because "we have MFA now" quietly became the justification for tolerating stale passwords. The escalation curve shows how patiently this economics works: two to four compromised accounts per day for the first week, then a surge to 30 identities across 23 businesses on 22 June once the technique proved out. At 81 million attempts, even a 0.0001% success rate is a business.
The Swiss Tenant Reality Check
Swiss enterprises are structurally exposed to precisely this pattern. Microsoft 365 adoption is near-universal across Swiss banking back-offices, insurers, manufacturers, and public administration; hybrid identity (Entra ID synced with on-premises AD) is the norm; and years of migrations, integrations, and vendor onboarding have left most tenants with a sediment of service accounts, legacy protocols, and Conditional Access exceptions nobody currently owns. The failure mode Huntress documented — MFA that exists but does not cover every path — is what a FINMA operational-resilience review or an ISA-scope security assessment would classify as a control-design deficiency, not a control absence, which is exactly why it survives audits: the checkbox is ticked.
There is also a detection angle Swiss SOCs should absorb. ROPC sign-ins are not hidden; they appear in Entra sign-in logs with the client and grant type identifiable, and a spray at this volume produces failure telemetry that is loud if anyone is listening. The campaign infrastructure was traceable to a single IPv6 range (2a0a:d683::/32). Organisations that discovered their compromises from Huntress's disclosure rather than their own logs have a monitoring gap of the same magnitude as their policy gap.
Closing the Door: Configuration, Not Budget
Everything required to neutralise this campaign class ships with the licence most Swiss enterprises already pay for. The core move is a Conditional Access policy that blocks legacy authentication and covers all cloud apps and all users, with exceptions handled as explicit, owned, expiring exclusions rather than blanket carve-outs. Microsoft's own direction of travel helps — interactive ROPC is deprecated and being retired — but tenants should not wait for platform-side sunset dates while a live campaign works the gap. Around that core: phishing-resistant MFA (FIDO2 keys or passkeys) for privileged and finance-adjacent roles removes the residual value of sprayed passwords entirely; a password-protection policy with breach-list screening drains the stale-credential pool the campaign fed on; and sign-in log alerting on ROPC grant usage, unfamiliar client IDs, and failure spikes turns the next spray into a Tuesday-morning ticket instead of a disclosure-day surprise.
◆ Key Takeaway
The 81-million-attempt Azure CLI campaign broke nothing: it used valid old passwords through a legacy OAuth flow that MFA and Conditional Access were never positioned to see. For Swiss Microsoft 365 estates the remediation is pure configuration — block legacy authentication for all users and all apps, kill report-only drift, screen passwords against breach corpora, and alert on ROPC grants — and every one of those controls can be in place this week.
- Audit where ROPC and legacy authentication still succeed. Filter Entra sign-in logs for ROPC grant usage and legacy protocols over the past 90 days; every hit is either an inventory item or an incident.
- Deploy a block-legacy-authentication Conditional Access policy scoped to all users and all cloud apps. Named, owned, time-boxed exclusions only — an exception without an owner and an expiry date is a finding.
- Take policies out of report-only mode deliberately. Report-only is a testing state, not a compliance state; review every policy sitting there and either enforce or delete it.
- Remove trusted-location MFA waivers. A corporate IP range is not an authentication factor; the Huntress data shows location-based exceptions among the gaps that got tenants breached.
- Roll out phishing-resistant MFA for privileged, finance, and remote-access roles. FIDO2/passkeys make sprayed passwords worthless even where a legacy path is briefly re-opened.
- Screen and rotate stale credentials. Enable breach-corpus password protection, force rotation on accounts with pre-MFA-era passwords, and disable dormant accounts — the campaign's fuel was passwords nobody had touched in years.
- Alert on the pattern, not just the outcome. SOC rules for ROPC token issuance, authentication-failure spikes per source ASN, and first-seen CLI clients per user catch the next campaign during the spray, not after the compromise.
Password spray is the oldest technique in the cloud-identity playbook, and it keeps working because identity estates accumulate exceptions faster than they retire them. The June campaign will be followed by others — the tooling is commodity, the breach corpora keep growing, and every deprecated authentication flow that survives in a tenant is a standing invitation. Swiss organisations that treat this incident as a checklist — legacy auth blocked, exceptions owned, credentials screened, ROPC alerting live — buy themselves out of an entire attack class for the cost of a configuration sprint. The ones that file it under "we have MFA" are the control-design deficiency the next Huntress report will quantify.