Glitch effectGlitch effect

Upcoming Webinar

Jul 14, 2026
1:00PM (ET) | 10:00AM (PT)
60
minutes

Tradecraft Tuesday | The Cost of a Weak CAP: Anatomy of a Major Password Spray Attack

In June, a massive password spray attack against Microsoft accounts resulted in 81 million login attempts and 78 successful compromises. 

Threat actors used Azure command line interface (CLI) sign ins via a deprecated OAuth authorization flow called ROPC. This allowed them to slip through weak spots in victim organizations’ Conditional Access policy (CAP) configurations. Additionally, we found that the actors were using BYOIP, a service that lets the assigned owner of a range of IP addresses get peering services from an ISP.

These attacks are part of a large wave of credential spray attacks across a few different ASNs. In the past six months, Huntress has observed the volume of credential spray attacks increase by over 155 times across our customer base.

During this Tradecraft Tuesday, we’ll break down how threat actors operate credential spray attacks, what’s driving the recent surge, and the best CAP configurations that organizations can use to address the authorization flow used across these incidents.

Reserve Your Spot
By submitting this form, you accept our Terms of Service & Privacy Policy

Speakers

Rich Mozeleski

Staff Product Manager

Spike Brandt

Principal Threat Intelligence Incident Commander

LinkedIn icon

Lindsey O'Donnell-Welch

Principal Technical Community Engagement Writer

LinkedIn icon