Cybersecurity · Thursday, 2 July 2026
01 · Briefing · what happened
81 million tries, 78 wins — how a brute-force attack walked past modern login defenses
An automated campaign made 81 million login guesses against Microsoft cloud accounts and broke into 78 of them, many protected by policies that a forgotten legacy login path simply ignored.
Key takeaways
- An automated attack made 81 million login guesses against Microsoft cloud accounts and broke into 78 — by slipping through a forgotten legacy login path that ignored the accounts' modern protections.
- The most common way malware reaches people now is ClickFix: a fake error message that tricks you into pasting a malicious command yourself, sailing past every email and file scanner.
- Attackers are wiring AI into their trade — using it to find real bugs, to harvest the fake web addresses AI invents, and to tailor phishing to your exact device.
A brute-force attack does not need to be clever. It needs to be cheap, and this one was. Between June 12 and June 26, a single attacker made more than 81 million login attempts against Microsoft’s Azure command-line tool and broke into at least 78 accounts across 64 organisations
This is a password spray: instead of guessing many passwords against one account (which locks the account), the attacker tries a handful of very common passwords against millions of accounts. A 0.0001% hit rate sounds like failure. At 81 million tries, it isn’t
The detail that matters for defenders: many of the breached organisations had modern protections switched on. They used Conditional Access — Microsoft’s rules that can demand a second check, like a code on your phone, before letting someone in
What to do: turn off legacy authentication paths like ROPC in your account settings, and never reuse a password that has appeared in a breach — that reuse is the entire reason a “top 100 passwords” list works at all
A quieter, more effective way in
While the spray campaign was loud, the most common way malware actually reaches people right now is disarmingly simple. Researchers at ReliaQuest, looking at activity from March to May, found that a technique called ClickFix now dominates how attackers get their first foothold
A big breach, and a fine for making the cleanup harder
Two stories from the fraud side of the week. First, the US insurer Aflac disclosed a data breach at its Japan subsidiary, discovered June 25, in which an unauthorised third party reached systems holding policy details, personal information, and bank account numbers between June 15 and 25
Second, the US Federal Trade Commission ordered Amazon to pay $2.25 million for a different kind of harm: it failed to give identity-theft victims the records of fraudulent transactions made in their names, as the law requires
The attacker’s new co-worker is an AI
Three separate pieces of research this week point at the same shift: attackers are folding AI tools into their work. Security researcher Ian Carroll used Anthropic’s Claude to help find a real bug in Front Gate Tickets — the ticketing system behind nearly every major US music festival — that would have let him issue unlimited free tickets, including sold-out VIP passes
More worrying at scale: Palo Alto Networks’ Unit 42 documented “phantom squatting.” Large language models sometimes invent web addresses that don’t exist when answering questions about real companies
The patch pile is worth your five minutes
A heavy week for fixes. Google patched a striking 382 vulnerabilities in Chrome
02 · Lesson · why it matters
When trying is free, a one-in-a-million shot is a sure thing
A defence that stops 99.9999% of attempts still fails if the attacker can afford to try eighty-one million times — because at zero cost, a tiny chance stops being a gamble and becomes a schedule.
The number that should have been a failure
Eighty-one million login attempts. Seventy-eight break-ins. Do that division and you get a hit rate near one in a million. Say it out loud in any other context — a salesman who closes one deal in a million calls, a fisherman who lands one fish per million casts — and it sounds like ruin.
Here it wasn’t ruin. It was a working business. Seventy-eight organisations were quietly opened up over two weeks, and the attacker never had to be good at anything. They only had to keep going.
That gap between how the ratio feels and what it produces is the whole lesson. We judge a threat by its success rate, because that’s how we judge people. But an automated attack isn’t a person. It’s a machine that runs the same cheap gamble over and over, and the only question that matters is how many times it can pull the lever before someone stops it.
The math that flips at zero cost
For most of human history, trying cost something. A lock-pick had to stand at your door, in the open, taking time and risk per attempt. That per-try cost was the real security — not the lock. The lock just made each attempt slow enough that the standing-around got you caught.
Automation quietly deleted the cost of trying. A script can attempt a login, fail, and attempt the next one in the time it takes you to blink. Eighty-one million attempts is not eighty-one million hours of a person’s patience; it’s a few weeks of a program that never sleeps, doesn’t get bored, and pays nothing per guess.
Once the cost of one attempt falls to nothing, the arithmetic changes shape. A one-in-a-million chance, tried once, is a gamble. Tried a million times for free, it’s a near-certainty. The rare event isn’t rare anymore — it’s just delayed. The attacker isn’t hoping to get lucky. They’re waiting for a guarantee to arrive.
Why the good locks didn’t matter
Here is the part that stings. Many of the broken-into organisations had done the modern, responsible thing. They had turned on the extra check — the code-on-your-phone step that’s supposed to make a stolen password useless.
The attacker went around it, through an old, deprecated login path the system still quietly accepted. Not because the new lock was weak, but because it was never the door being used.
This is where the cheap-attempts logic gets its second edge. When trying is free, the attacker doesn’t need to defeat your best defence. They can spend a million free tries just looking for the one entrance you forgot to include in your defence. Effort that would be unthinkable for a human — methodically testing every door in a building, including the ones nobody’s opened in years — is trivial for a machine. The defender has to remember every door. The attacker only has to find the one that was forgotten, and free tries make finding it a matter of when.
The lopsided contest underneath
Step back and the shape is a contest that was never fair to begin with. The defender must be right about everything, every day: every account, every login path, every old setting nobody remembers turning on. The attacker must be right once, about any of it, and can try endlessly at no charge.
That asymmetry isn’t unique to computers. It’s the shape of every cheap-repeated-attempt problem. A scam call centre dials a million numbers to find the few who’ll fall for it — and the few is all it needs. A con that works on one person in ten thousand is still a career if the con costs nothing to run again. The rare sucker isn’t rare from the scammer’s chair; they’re inevitable. Volume launders improbability into certainty.
We are all standing on the wrong side of that math more often than we notice. Every leaked password sitting in a breach list is a free lottery ticket someone else holds against us. The reason a “hundred most common passwords” list is dangerous isn’t that your password is easy to guess. It’s that you are one of eighty-one million doors, and the machine has all the time in the world.
What the whole looks like from here
The instinct is to feel clever now — to say “so I’ll pick a better password” and move on. That’s the small version of the lesson, and it leaves out where you actually sit.
You are not the defender in this story, and you are not the attacker. You are one of the millions of doors. Your single good choice — a password nobody else has, the old login paths switched off — doesn’t win the contest. It just quietly removes you from the pile the machine is grinding through, and hands the rare-but-certain hit to the next door down the row.
Nobody chose to live inside a system where trying is free and the failures are automated and patient. It was built that way, one convenience at a time, by people solving other problems. Seeing that doesn’t make you safe. It makes you humble about how little of the contest any single one of us can see, or steer — and how much of our safety depends on the doors we’ll never know were tried.
03 · Lab · your turn
The Free-Tries Machine
Rehearse how a near-zero success rate becomes a certainty once trying is free, and how closing a forgotten door only removes you from the pile.
04 · Hope · carry this
The same free tries that let a machine grind through millions of doors also let a curious researcher find the unlocked one first — and hand it back instead of walking through. The people quietly closing forgotten doors outnumber the ones knocking, and most of them will never make a headline.
More from Cybersecurity