Over 80,000 passwords compromised in a password-spraying attack; Office, Teams, Outlook and other Microsoft account details exposed

Password spraying attack

A large-scale password-spraying attack has put over 80,000 Microsoft accounts at risk, affecting services such as Outlook, Teams, and Office 365. Security experts say the attack, which started in December 2024 and peaked in January 2025, successfully compromised numerous accounts across organisations of all sizes. The incident highlights growing cyberthreats and underscores the need for vigilance and strong protective measures.

Proofpoint has uncovered that the attack was orchestrated by a threat actor called UNK_SneakyStrike, who leveraged a tool known as TeamFiltration to carry it out. Password spraying involves trying a small number of frequently used password combinations across many different accounts — a tactic designed to avoid triggering alarm systems.

TeamFiltration is a sophisticated framework first made available in 2022 by a penetration tester. It lets attackers efficiently automate large-scale attacks against Microsoft Entra IDs — the directory service that underpins Outlook, Teams, and Office 365 — without quickly locking accounts due to numerous failed attempts.

Using this tool, the attacker was able to launch a dramatic attack on January 8, 2025, attempting password combinations against nearly 16,500 accounts in a single day. The attack fell silent afterwards, then resurged in small batches — a tactic designed to stay under the radar of enterprise defences.

Proofpoint, a cybersecurity firm investigating the incident, explained that the attacker routed their operations through AWS servers in different regions and abused a sacrificial Microsoft 365 account with a Business Basic license to exploit the Microsoft Teams API.

The attack affected a vast range of organisations — from small businesses to large enterprises — across numerous sectors. Small companies were broadly targeted, with attackers attempting to compromise all their users, while in large organisations, a subset of employees were chosen at random.

This approach meant nearly 80,000 Microsoft Entra IDs were under attack, putting Outlook, Teams, Office 365, and related services at risk of unauthorised access. The attack successfully compromised numerous accounts, although the exact number of successful intrusions has not been made public.

Security experts say multi-factor authentication, conditional access policies, and blocking suspicious IPs can help organisations stay protected. MFA adds a secondary layer of security, making password attacks less effective. Staying vigilant and maintaining strong password policies can help keep future attacks at bay.