Back to Blog
Identity SecurityCloud Security

Microsoft 365 Attacks Are Moving Beyond Passwords

An 81-million-attempt password spraying campaign, phishing-as-a-service tooling, and OAuth token theft show why identity defense must cover the entire login flow.

Author
ECEvolving Cyber
Published
Jul 4, 2026
Reading Time
5 min read
Microsoft 365 displayed on a phone in front of a Microsoft background
Supporting image: Microsoft 365 sign-in and cloud identity context.

Microsoft 365 identity attacks were another major theme this week. Public reporting described an aggressive password-spraying campaign that generated more than 81 million login attempts against Microsoft 365 environments over two weeks. The same news cycle included Cisco Talos research on ARToken, a phishing-as-a-service platform connected to EvilTokens-style Microsoft 365 phishing, and reporting on ConsentFix and ClickFix techniques that can steal tokens through fake prompts and OAuth flows.

The message is simple: attackers are no longer only guessing passwords. They are attacking the authentication journey itself.

The old model is too narrow

Many organizations still think of account security as a password plus MFA problem. That model misses how modern Microsoft 365 intrusions actually happen.

Attackers may spray passwords at scale to find weak accounts. They may use adversary-in-the-middle phishing to capture session cookies. They may trick users into approving OAuth consent. They may abuse device code flows. They may use fake browser prompts or fake support instructions to make the victim do the dangerous part willingly.

In other words, the account compromise path is no longer a single login box. It is a chain of identity, browser, consent, token, and session decisions.

Why MFA is necessary but not sufficient

MFA still matters. It blocks enormous volumes of basic credential abuse. But not all MFA is equal.

SMS codes, push approvals without number matching, and one-time passwords can be phished or socially engineered. Token theft can bypass the need to repeat MFA if the attacker captures a valid session. OAuth abuse can grant access without stealing a password at all.

That is why identity programs need to move toward phishing-resistant MFA, conditional access, device trust, and continuous session monitoring.

What to prioritize

Microsoft 365 defenders should focus on controls that disrupt the whole attack chain.

  • Require phishing-resistant MFA for administrators, finance users, executives, and high-risk roles.
  • Disable legacy authentication and unused protocols.
  • Review OAuth application consent policies.
  • Alert on unusual consent grants, new mailbox rules, suspicious forwarding, impossible travel, and new device registrations.
  • Use conditional access policies that account for device compliance, location, risk, and session behavior.
  • Train users on device code phishing, ClickFix prompts, and fake browser instructions.
  • Monitor for password spraying patterns spread across many source IPs.

The business takeaway

Microsoft 365 is not just email. It is documents, Teams, SharePoint, identity, calendars, files, and business process history. A compromised account can become an entry point into the company memory.

This week shows why identity security must be treated as a detection and response discipline, not only a login setting.

Sources