Two of the most common account takeover attacks are happening against your Microsoft 365 tenant right now. Here’s how they work and why MFA is the one control that stops both cold.
Most cyberattacks against small businesses don’t start with exotic exploits or sophisticated malware. They start with someone trying to log in with a password they didn’t earn. Credential stuffing and password spraying are the two most common automated attack techniques for achieving this — and they’re running continuously against virtually every cloud service, at scale, against every organization that has accounts.
Credential stuffing is the automated use of leaked username/password combinations from previous data breaches to attempt logins at other services. The attacker doesn’t have to guess anything — they have a list of real credentials from real people, obtained from breaches of other services.
The scale is staggering. There are billions of leaked credential pairs in circulation. Attackers run them through automated tools that attempt logins at thousands of services simultaneously, looking for matches. The success rate on any given pair is low — but when you’re trying hundreds of millions of pairs, even a 0.1% success rate represents hundreds of thousands of compromised accounts.
Why it works: password reuse. People use the same password across multiple services. When one service gets breached and the credentials are published, every other service where that person uses the same password becomes vulnerable. The average person reuses passwords across dozens of services. Attackers know this and exploit it systematically.
The defense: MFA and dark web monitoring. MFA means a correct password isn’t enough — the attacker also needs the second factor, which they don’t have. Dark web monitoring catches the credential exposure early, allowing a password change before the stuffing attempt is made.
Password spraying is different. Instead of trying many passwords against one account, it tries one password against many accounts. The attacker picks a common password — "Winter2024!", "Welcome1”, "Company123" — and tries it against every account they can enumerate in a tenant or organization.
Why this technique exists: most cloud services lock an account after a certain number of failed login attempts. If you try 100 passwords against one account, you’ll trigger the lockout. But if you try one password against 100 accounts, no single account triggers a lockout. The attack flies under the radar of basic account lockout controls.
Password spraying is particularly effective against organizations that have password policies with predictable patterns. If employees are required to change passwords every 90 days and they consistently do so by incrementing a number or changing a season, attackers can anticipate what the current password probably is. "Spring2025!" after a company-wide reset in March is a trivially predictable credential for a spray attack.
The defense: MFA, again, plus strong password policies enforced by technical controls rather than just policy documents. Microsoft Entra ID (formerly Azure AD) has built-in spray detection that can identify and block spray patterns even when no individual account triggers a lockout. We configure this as standard for Microsoft 365 clients.
This isn’t theoretical. We see credential stuffing and password spraying attempts against client tenants regularly — often daily, sometimes continuously. For a typical small business Microsoft 365 tenant, there are thousands of failed authentication attempts in the logs every month from automated attack tools probing for weak or reused credentials.
For clients with MFA enforced, these attempts are noise. The attacker tries the credential, hits the MFA prompt, and the attack stops. We log it, we monitor for patterns, and we move on.
For accounts without MFA, a stuffing attempt with a correct credential is a successful login. We’ve seen this happen. The attacker gets in, sets up email forwarding rules to capture communication silently, monitors for wire transfers, and eventually uses the access for business email compromise. The window between successful stuffing login and financial loss can be weeks.
Microsoft publishes data on this regularly: MFA blocks over 99% of automated account takeover attacks. This isn’t a marketing claim — it reflects the reality that credential stuffing and password spraying, which together represent the vast majority of automated account attacks, are effectively defeated by MFA. The attacker needs the second factor and they don’t have it.
MFA is the authentication layer of Zero Trust. Zero Trust assumes that credentials alone are not sufficient proof of identity — that any access request, even from a seemingly legitimate account with a correct password, must be verified through additional signals: device health, location, behavior pattern. MFA is the most foundational of those verification layers, and the one that stops the overwhelming majority of automated attacks before they get further.
For our managed IT clients, MFA enforcement is non-negotiable — it’s deployed at onboarding, verified continuously by our RMM tooling, and any account without MFA generates an alert. The exposure window between account creation and MFA enrollment is a risk we don’t accept.