Daylila

Cybersecurity · Thursday, 2 July 2026

01 · Briefing · what happened

81 million tries, 78 wins — how a brute-force attack walked past modern login defenses

Cybersecurity 5 min 41 sources

An automated campaign made 81 million login guesses against Microsoft cloud accounts and broke into 78 of them, many protected by policies that a forgotten legacy login path simply ignored.

Key takeaways

  • An automated attack made 81 million login guesses against Microsoft cloud accounts and broke into 78 — by slipping through a forgotten legacy login path that ignored the accounts' modern protections.
  • The most common way malware reaches people now is ClickFix: a fake error message that tricks you into pasting a malicious command yourself, sailing past every email and file scanner.
  • Attackers are wiring AI into their trade — using it to find real bugs, to harvest the fake web addresses AI invents, and to tailor phishing to your exact device.

A brute-force attack does not need to be clever. It needs to be cheap, and this one was. Between June 12 and June 26, a single attacker made more than 81 million login attempts against Microsoft’s Azure command-line tool and broke into at least 78 accounts across 64 organisations [16]. The security firm Huntress, which traced the campaign, said the targeting was based purely on which passwords showed up most often in leaked password lists — not on who the victims were or what business they ran [16].

This is a password spray: instead of guessing many passwords against one account (which locks the account), the attacker tries a handful of very common passwords against millions of accounts. A 0.0001% hit rate sounds like failure. At 81 million tries, it isn’t [16].

The detail that matters for defenders: many of the breached organisations had modern protections switched on. They used Conditional Access — Microsoft’s rules that can demand a second check, like a code on your phone, before letting someone in [16]. The attacker skipped past those rules by logging in through a deprecated, decade-old path called ROPC, a legacy login method where an app just hands over a username and password directly [16]. Microsoft deprecated it years ago and tells customers not to use it, precisely because it doesn’t play nicely with those extra checks [16]. The new lock was on the front door; the attacker used a side door the building’s owners had forgotten was still unlocked. SecurityWeek confirmed the campaign and its scale [17].

What to do: turn off legacy authentication paths like ROPC in your account settings, and never reuse a password that has appeared in a breach — that reuse is the entire reason a “top 100 passwords” list works at all [16].

A quieter, more effective way in

While the spray campaign was loud, the most common way malware actually reaches people right now is disarmingly simple. Researchers at ReliaQuest, looking at activity from March to May, found that a technique called ClickFix now dominates how attackers get their first foothold [13]. ClickFix shows you a fake error message or a fake “prove you’re human” prompt, then asks you to copy a bit of text and paste it into your computer to “fix” the problem [13]. The text is a command that installs malware. Because you run it yourself, it sails past email filters and file scanners that would have caught an attachment [13]. The lesson is old and stubborn: the reader is often the last and weakest check. If a website ever asks you to paste something into a system window or terminal, stop.

A big breach, and a fine for making the cleanup harder

Two stories from the fraud side of the week. First, the US insurer Aflac disclosed a data breach at its Japan subsidiary, discovered June 25, in which an unauthorised third party reached systems holding policy details, personal information, and bank account numbers between June 15 and 25 [1]. Aflac says the incident is limited to Japan and that its US systems were untouched; the full scope is still unknown [1]. Some services were shut down to stop the intrusion spreading [1].

Second, the US Federal Trade Commission ordered Amazon to pay $2.25 million for a different kind of harm: it failed to give identity-theft victims the records of fraudulent transactions made in their names, as the law requires [5]. In some cases, the FTC said, Amazon’s agents refused those records citing “privacy” — to the very people whose identities had been stolen [5]. It’s a reminder that after a fraud, getting the evidence out of a company can be its own fight.

The attacker’s new co-worker is an AI

Three separate pieces of research this week point at the same shift: attackers are folding AI tools into their work. Security researcher Ian Carroll used Anthropic’s Claude to help find a real bug in Front Gate Tickets — the ticketing system behind nearly every major US music festival — that would have let him issue unlimited free tickets, including sold-out VIP passes [7]. Carroll reported the flaw rather than abusing it, and Front Gate says it has patched the hole [7].

More worrying at scale: Palo Alto Networks’ Unit 42 documented “phantom squatting.” Large language models sometimes invent web addresses that don’t exist when answering questions about real companies [4]. Across 913 brands, the researchers found AI systems generated some 250,000 fake domains [4]. Attackers can simply register those made-up addresses and wait for AI tools to send trusting users straight to them [4]. And Cofense found phishing pages that fingerprint your device the moment you click, then serve malware tailored to your exact operating system to raise their odds [8]. None of this is science fiction — it’s the same old fraud, made cheaper and more precise.

The patch pile is worth your five minutes

A heavy week for fixes. Google patched a striking 382 vulnerabilities in Chrome [2]. Apple pushed fixes across iOS, macOS, and Safari [12]. Adobe patched critical flaws in ColdFusion and Campaign Classic [3]. Citrix patched NetScaler holes including a new “HTTP/2 Bomb” denial-of-service attack [9]. And attackers are already moving on old holes: researchers watched active exploitation of a critical Oracle E-Business Suite defect (rated 9.8 out of 10) that Oracle patched back in May [10]. Roughly 950 vulnerable Oracle systems are still exposed online, more than half of them in the US [10]. A flaw being “patched” means nothing until you actually install the patch — the attacker is betting you haven’t.

02 · Lesson · why it matters

When trying is free, a one-in-a-million shot is a sure thing

A defence that stops 99.9999% of attempts still fails if the attacker can afford to try eighty-one million times — because at zero cost, a tiny chance stops being a gamble and becomes a schedule.

The number that should have been a failure

Eighty-one million login attempts. Seventy-eight break-ins. Do that division and you get a hit rate near one in a million. Say it out loud in any other context — a salesman who closes one deal in a million calls, a fisherman who lands one fish per million casts — and it sounds like ruin.

Here it wasn’t ruin. It was a working business. Seventy-eight organisations were quietly opened up over two weeks, and the attacker never had to be good at anything. They only had to keep going.

That gap between how the ratio feels and what it produces is the whole lesson. We judge a threat by its success rate, because that’s how we judge people. But an automated attack isn’t a person. It’s a machine that runs the same cheap gamble over and over, and the only question that matters is how many times it can pull the lever before someone stops it.

The math that flips at zero cost

For most of human history, trying cost something. A lock-pick had to stand at your door, in the open, taking time and risk per attempt. That per-try cost was the real security — not the lock. The lock just made each attempt slow enough that the standing-around got you caught.

Automation quietly deleted the cost of trying. A script can attempt a login, fail, and attempt the next one in the time it takes you to blink. Eighty-one million attempts is not eighty-one million hours of a person’s patience; it’s a few weeks of a program that never sleeps, doesn’t get bored, and pays nothing per guess.

Once the cost of one attempt falls to nothing, the arithmetic changes shape. A one-in-a-million chance, tried once, is a gamble. Tried a million times for free, it’s a near-certainty. The rare event isn’t rare anymore — it’s just delayed. The attacker isn’t hoping to get lucky. They’re waiting for a guarantee to arrive.

Why the good locks didn’t matter

Here is the part that stings. Many of the broken-into organisations had done the modern, responsible thing. They had turned on the extra check — the code-on-your-phone step that’s supposed to make a stolen password useless.

The attacker went around it, through an old, deprecated login path the system still quietly accepted. Not because the new lock was weak, but because it was never the door being used.

This is where the cheap-attempts logic gets its second edge. When trying is free, the attacker doesn’t need to defeat your best defence. They can spend a million free tries just looking for the one entrance you forgot to include in your defence. Effort that would be unthinkable for a human — methodically testing every door in a building, including the ones nobody’s opened in years — is trivial for a machine. The defender has to remember every door. The attacker only has to find the one that was forgotten, and free tries make finding it a matter of when.

The lopsided contest underneath

Step back and the shape is a contest that was never fair to begin with. The defender must be right about everything, every day: every account, every login path, every old setting nobody remembers turning on. The attacker must be right once, about any of it, and can try endlessly at no charge.

That asymmetry isn’t unique to computers. It’s the shape of every cheap-repeated-attempt problem. A scam call centre dials a million numbers to find the few who’ll fall for it — and the few is all it needs. A con that works on one person in ten thousand is still a career if the con costs nothing to run again. The rare sucker isn’t rare from the scammer’s chair; they’re inevitable. Volume launders improbability into certainty.

We are all standing on the wrong side of that math more often than we notice. Every leaked password sitting in a breach list is a free lottery ticket someone else holds against us. The reason a “hundred most common passwords” list is dangerous isn’t that your password is easy to guess. It’s that you are one of eighty-one million doors, and the machine has all the time in the world.

What the whole looks like from here

The instinct is to feel clever now — to say “so I’ll pick a better password” and move on. That’s the small version of the lesson, and it leaves out where you actually sit.

You are not the defender in this story, and you are not the attacker. You are one of the millions of doors. Your single good choice — a password nobody else has, the old login paths switched off — doesn’t win the contest. It just quietly removes you from the pile the machine is grinding through, and hands the rare-but-certain hit to the next door down the row.

Nobody chose to live inside a system where trying is free and the failures are automated and patient. It was built that way, one convenience at a time, by people solving other problems. Seeing that doesn’t make you safe. It makes you humble about how little of the contest any single one of us can see, or steer — and how much of our safety depends on the doors we’ll never know were tried.

03 · Lab · your turn

The Free-Tries Machine

Rehearse how a near-zero success rate becomes a certainty once trying is free, and how closing a forgotten door only removes you from the pile.

04 · Hope · carry this

The same free tries that let a machine grind through millions of doors also let a curious researcher find the unlocked one first — and hand it back instead of walking through. The people quietly closing forgotten doors outnumber the ones knocking, and most of them will never make a headline.

Across the beats