Organizations that rely solely on interactive sign-in monitoring are likely blind to these attacks and its risks, which include account takeovers, business disruption, lateral movement, multifactor authentication (MFA) invasion, and conditional access policies (CAP) bypass potential.

“For organizations heavily reliant on Microsoft 365, this attack is a wake-up call,” said Darren Guccione, CEO and co-founder at Keeper Security, in an emailed statement to Dark Reading. “Robust cybersecurity isn’t just about having MFA — it’s about securing every authentication pathway. A password manager enforces strong, unique credentials while minimizing exposure to credential-based attacks. For noninteractive authentication, privileged access management (PAM) is essential, ensuring least-privilege access, regular credential rotation, and real-time monitoring of service accounts.”

As for the threat actors, the researchers believe that it is likely a Chinese-affiliated group, though this theory remains unconfirmed.