Skip to content
Chimera readability score 62 out of 100, Academic reading level.

The attack exploited previously exposed credentials and flaws in enterprises’ multi-factor authentication configurations.
Microsoft users have been hit by a massive, automated password spray attack.
Among those targeted by the attack were clients of security company Huntress. It reported that the attackers made 81 million attempts to log into its customers’ accounts between June 12 and 26 — and succeeded in at least 78 cases.
And that’s just the attacks on Microsoft account holders who also happen to be Huntress customers: The number of compromised accounts could be much higher, as it’s in the nature of a password spray attack to attempt to connect indiscriminately.
The attacks all came from a single source, an IPv6 address range controlled by internet provider LSHIY LLC, Huntress said in a blog post. LSHIY has since terminated access for the customer using the IP addresses involved in the attack.
Huntress had been monitoring spray attacks for some time and had noticed a slight increase from June 12, and then a sudden spike on June 22 when 30 of its customers were affected.
The attackers replayed validated credentials via the OAuth ROPC (Resource Owner Password Credentials) flow. This takes a username/password at the /token endpoint for a tenant and mints a new user-delegated token, once provided with the correct credentials. This was possible because multi-factor authentication (MFA) had not been configured to handle the techniques deployed by the attackers.
Huntress said that this was because, in some cases, MFA had been enforced for specific apps instead of “All Cloud Apps.” For example, some organizations enforced MFA for Microsoft Admin Portals, which did not cover the Azure CLI logins used by the attacker.
In other cases, organizations enabled MFA only for specific user groups (such as Admins Only). The compromised users were not in the scope of these specific user groups.

Sentinel — Human

Confidence

This text functions as clear, fact-based reporting that synthesizes technical findings with source attribution, exhibiting characteristics consistent with high-quality human journalism.

Signals Detected
low severity: Sentence length variance is natural; the text shifts between declarative facts and complex technical explanations.
low severity: The text successfully weaves specific technical findings (MFA, ROPC) with reported metrics, demonstrating focused journalistic synthesis without excessive hedging.
low severity: Attribution is specific and tied directly to the claims (Huntress reported; LSHIY terminated), suggesting reliance on external sources rather than internal generation.
Human Indicators
The structure transitions logically from the general event (password spray) to specific technical mechanisms (MFA flaws, OAuth ROPC flow), a pattern typical of investigative reporting.
Specific entity names and reported metrics (81 million attempts, June dates, LSHIY LLC) anchor the claims in verifiable external data.