

Eighty-one million. That is not a figure from a year of background noise. It is the volume of login attempts recorded against Microsoft 365 accounts in a single coordinated campaign, disclosed this week by security researchers tracking the operation. The targets were not random. The goal was not disruption. The objective, as it almost always is when attackers go after corporate email and productivity infrastructure at scale, was access.
When attackers get access to a Microsoft 365 account, they get access to everything tied to it: emails, files in OneDrive and SharePoint, Teams conversations, calendar invitations, internal contacts, and, in many cases, the authentication tokens that open doors to third-party applications connected to the same identity. Microsoft 365 is not simply an email platform. It is the operational backbone of most modern organisations, and that is precisely what makes it worth 81 million attempts.
A campaign of 81 million login attempts does not start with the attacker generating random passwords and hoping for the best. It starts months or years earlier, on the dark web, where billions of username and password pairs from previous breaches are sold and traded in bulk. The attacker buys a credential list, filters it for work email formats, and runs it against the Microsoft 365 authentication endpoint. This is credential stuffing: trying known username-password combinations from previous breaches against a new service, betting that people reuse passwords across accounts.
Password spraying is the variant deployed when the attacker does not have a matching password for a specific account. Instead of trying many passwords against one account, which would trigger lockout, the attacker tries one or two very common passwords, such as the organisation name followed by the year or a predictable seasonal variation, against thousands of accounts simultaneously. Neither attempt triggers the per-account lockout threshold. Neither appears unusual to a monitoring tool that looks at per-account failed login counts rather than per-IP or per-campaign patterns.
The infrastructure behind a campaign of this size typically spans thousands of IP addresses, often residential proxies rented from botnets of compromised home routers, specifically to avoid the IP reputation blocks that would flag a flood of attempts from a single data centre range. Requests are rate-limited to mimic human login behaviour. User-agent strings rotate to match common browser patterns. The campaign is engineered to look, at the per-request level, like normal traffic.
What gives it away is volume, pattern, and geography: login attempts for an organisation whose employees are all based in one region suddenly appearing from dozens of countries, or attempts arriving in waves that follow timezone-shaped patterns suggesting automated scheduling. These are the signals that endpoint detection and identity analytics tools are built to surface, but only if the organisation is actively looking.
Microsoft 365 has more than 300 million monthly active commercial users globally. Its penetration into enterprise environments means that a single valid set of Microsoft 365 credentials is rarely a dead end. It is typically the starting point for a chain of access that extends far beyond email.
The Outlook inbox holds contract negotiations, financial approvals, and supplier communications. SharePoint and OneDrive hold documents that range from mundane to sensitive. Teams holds the informal conversation layer where strategy gets discussed before it reaches formal channels. And the Microsoft 365 identity, federated through Entra ID, is the single sign-on anchor for dozens of connected applications: Salesforce, ServiceNow, Workday, GitHub, HR systems, and internal tools built on the same identity foundation.
When an attacker gains access to a Microsoft 365 account and the session token that goes with it, they are not just reading emails. They are positioned at the centre of the organisation's digital operations with the full permissions of the compromised user. If that user is an administrator, a finance manager, or a member of the IT team, the blast radius grows accordingly.
Business email compromise, the use of a compromised corporate email account to redirect payments, impersonate executives, or manipulate suppliers, costs organisations billions annually. The FBI's Internet Crime Complaint Center reported losses of over 2.9 billion dollars from business email compromise in 2023 alone, and the figure has grown every year since the metric was first tracked. Credential access to Microsoft 365 is the most common starting point for these schemes because the attacker gains the full context of existing email threads, the ability to set forwarding rules that route copies of sensitive emails to an external address, and the trust that comes from communicating from a legitimate internal account.
Campaigns of this scale do not emerge from thin air. The 81 million attempts in this operation were drawn from credential inventories assembled over years of data breaches, infostealer malware deployments, and phishing operations targeting individual users. The credentials that power these campaigns are the downstream product of every breach that was not contained, every infostealer that ran undetected on a corporate device, and every reused password that connected a personal account breach to a professional identity.
Infostealer malware, deployed through malicious advertising, trojanised software installers, and phishing lures, harvests saved browser credentials, session cookies, and autofill data from the infected machine. These logs are then sold in bulk on dark web marketplaces, where buyers filter them by domain, job title, or access level. A log containing the Microsoft 365 credentials of a finance director at a mid-sized company commands a substantially higher price than a generic consumer account, and the marketplaces have developed the tooling to identify and categorise accordingly.
The practical implication for organisations is that the credentials being tested in a campaign like this one may have originated from a breach that had nothing to do with Microsoft. An employee who reused their work email and a variant of the same password on a gaming platform, a fitness app, or a retailer is contributing to the credential pool that attackers draw from. The organisation's own security posture is only one variable in a much larger equation.
This is why monitoring for leaked credentials tied to corporate email domains is not a luxury feature of a mature security programme. It is a foundational visibility requirement. An organisation that knows within hours that employee credentials have appeared in a criminal marketplace can force a password reset and invalidate active sessions before those credentials are added to the next attack batch. An organisation that discovers the breach through a login alert weeks later is responding rather than preventing.
The attacker who successfully authenticates to a Microsoft 365 account does not typically announce themselves immediately. The first phase is reconnaissance: reading through recent emails to understand the organisation's structure, current projects, financial relationships, and the names and roles of key individuals. This phase can last days or weeks. It is quiet, it leaves minimal forensic trace, and it is the period during which the attacker builds the situational awareness they need to make the access maximally valuable.
Inbox rules are a common early action. A forwarding rule that quietly copies all incoming mail to an external address, or an archiving rule that moves emails matching certain keywords to a folder the legitimate user is unlikely to notice, allows the attacker to maintain visibility even if the compromised password is later changed. Email rules created by a different IP address or at an unusual hour are a detectable signal, but only if someone is looking at rule creation events in the Microsoft 365 audit log, which many organisations do not monitor actively.
From there, the path depends on the account's permissions and the attacker's objective. Business email compromise typically involves waiting for a payment approval request or supplier invoice discussion, then interjecting with bank account change instructions that appear to come from the legitimate account holder. Data exfiltration involves methodically downloading files from OneDrive or SharePoint, often using the legitimate sync client rather than unusual API calls that might trigger alerts. Lateral movement involves using the compromised account's access to connected applications to pivot into systems that have nothing to do with email.
In the most sophisticated cases, the attacker registers a new multi-factor authentication method to the compromised account, ensuring they retain access even after a forced password reset. MFA method additions are one of the highest-fidelity signals of account compromise, and they appear in the Entra ID audit log, but they require active monitoring to surface in time to matter.
Multi-factor authentication significantly raises the cost of credential-based attacks. An attacker with a valid username and password who encounters an MFA prompt must either obtain the second factor through real-time phishing, using adversary-in-the-middle toolkits that intercept the MFA code and replay it instantly, or through SIM swapping, which transfers the victim's phone number to an attacker-controlled SIM to intercept SMS codes. Both are technically possible, but both add friction, cost, and operational complexity that filter out the lower-capability end of the threat spectrum.
The problem is that not all MFA implementations are equal. SMS-based MFA is the most widely deployed and the most vulnerable to SIM swapping and social engineering. Push notification MFA, which asks the user to approve a login by tapping a button in an authenticator app, is vulnerable to MFA fatigue attacks, where the attacker sends dozens of approval requests in rapid succession until the user approves one out of frustration or confusion. FIDO2 hardware security keys and passkeys are resistant to both of these attack vectors because the cryptographic response they generate is bound to the legitimate domain, making it impossible to use the credential on a phishing page that mimics the real site.
Organisations that have deployed MFA universally but have not reviewed which MFA methods are permitted still carry meaningful risk. A policy that allows SMS fallback for users who have not set up a stronger method, or that exempts legacy authentication protocols from MFA requirements because older applications do not support modern authentication, creates gaps that attackers specifically probe for and exploit. The 81 million attempt campaign will not have distributed its attempts uniformly: it will have concentrated on accounts that historically respond to legacy authentication endpoints, precisely because those endpoints do not invoke MFA.
Microsoft 365 environments have access to a significant volume of identity telemetry that, when acted on through conditional access policies, can block credential-based attacks at the point of authentication. Sign-in risk scores, calculated from signals including impossible travel, unfamiliar device characteristics, anonymous IP addresses, and leaked credential intelligence from Microsoft's own threat intelligence feeds, can be used to require step-up authentication or block access entirely when a login deviates from the established pattern.
Named location policies allow organisations to require additional verification or block logins originating from countries or regions where they have no employees or operations. Device compliance policies prevent authentication from devices that are not registered to the corporate directory, blocking the attacker's own machine from successfully completing a login even with valid credentials and MFA.
These controls are available in Microsoft 365 environments but they require deliberate configuration. The default Microsoft 365 tenant is not locked down to this level out of the box. Each policy requires organisational decisions about the trade-off between security friction and user convenience, and those decisions need to be made before the campaign, not during it.
Monitoring the indicators of compromise that credential-based campaigns generate, specifically the patterns of failed authentication attempts, the IP reputation data for successful logins, and the downstream behaviour changes in successfully compromised accounts, is the detection layer that conditional access policies cannot replace. Conditional access blocks known-bad patterns. Behavioural monitoring surfaces the unknown-bad: the attacker who authenticated from a location that was just plausible enough to pass the policy checks and is now quietly operating inside the environment.
The disclosure of a campaign with 81 million login attempts against Microsoft 365 is a prompt to review the current state of identity security rather than a reason to assume an organisation has already been targeted or compromised. The practical response is a structured review of the controls that reduce exposure to credential-based attacks and the monitoring that would surface a successful intrusion if one had occurred.
Reviewing the Microsoft 365 sign-in logs for the past 90 days for the patterns associated with credential stuffing, specifically high volumes of failed authentication attempts from diverse IP ranges, successful logins from unexpected locations or devices, or inbox rule creation events that post-date the last known legitimate user login, provides the baseline for understanding current exposure. Enabling the Microsoft Entra ID Identity Protection reports and reviewing the risk detections that have been generated but not acted on is a second step that many organisations defer until after an incident.
Forcing a password reset for all accounts and disabling legacy authentication protocols that bypass MFA, if not already done, addresses the specific vectors that campaigns of this type exploit most heavily. Reviewing which accounts have administrative privileges in Microsoft 365 and confirming that all of them use phishing-resistant MFA is the highest-priority hardening action for most organisations, because administrative accounts are both the most targeted and the most damaging to compromise.
The 81 million attempt figure is not a record. It is a data point in a sustained and growing pattern of credential-based attacks against enterprise identity infrastructure. The organisations that will be most affected by the next iteration of this campaign are the ones that have not yet closed the gaps that make credential stuffing and password spraying worth attempting at scale.
The 81 million attempt figure came to light because researchers tracking the operation were monitoring the authentication infrastructure the campaign was targeting. Most organisations do not have that level of visibility into the attack infrastructure targeting them. They see the login attempts that reach their own systems. They do not see the reconnaissance phase, the credential list assembly, or the infrastructure staging that precedes the campaign. By the time the login attempts begin, the attacker has already completed the preparation work that determines how targeted and sophisticated the campaign will be.
This visibility gap is not a function of technical capability. Microsoft 365 environments generate extensive audit logs that capture authentication attempts, including failed attempts from external IP addresses, and those logs are available to any organisation with an appropriate Microsoft Entra ID licence. The gap is typically a function of whether anyone is actively reviewing those logs, whether the review is timely enough to identify a campaign while it is in progress rather than months after the fact, and whether the reviewed signals are connected to external intelligence about the infrastructure generating them.
An authentication failure from a single IP address that has no previous history with the organisation is easy to dismiss as background noise. The same failure, correlated against threat intelligence indicating that the source IP is part of a residential proxy network currently being used in a campaign targeting organisations in the same sector, is an actionable signal. The difference between these two interpretations is not the log entry itself but the context that threat intelligence brings to it.
Organisations that have invested in identity security monitoring but have not connected that monitoring to external threat intelligence are operating with half the picture. They can see what is happening to their own accounts. They cannot see whether what is happening to their accounts is an isolated probe or the leading edge of a coordinated campaign that is simultaneously targeting dozens of organisations in their industry. That broader context is what allows a security team to prioritise a response appropriately and to anticipate the next phase of the attack rather than simply reacting to the current one.
The 81 million attempts campaign is a reminder that credential-based attacks operate at a scale that individual organisations cannot fully perceive from their own telemetry alone. The campaign is visible in its totality only to those with cross-organisational visibility: the researchers who tracked it, the threat intelligence providers who correlate signals across multiple client environments, and the platforms that aggregate authentication failure data at the network level. Building a security programme that connects internal monitoring to that external context is the architecture that moves an organisation from reactive to informed. It is also the difference between detecting a campaign on day one and discovering the damage weeks later.
Defendis monitors dark web forums, criminal marketplaces, and threat actor channels for early signals specific to your organisation: credential exposure, active campaigns targeting your sector, and indicators tied to your infrastructure. Book a demo to see what we see before it reaches you.