
FBI Seizes NetNut Proxy & Popa Botnet: Full Analysis
July 3, 2026One in a million sounds like favorable odds—until you realize attackers sent hundreds of millions of authentication requests to find that needle. In June 2026, Microsoft disclosed that a sophisticated threat actor executed a large-scale password spray campaign against Microsoft 365 tenants, successfully compromising accounts across multiple industries despite hitting only a statistically tiny fraction of targeted credentials. The attack was quiet, patient, and devastatingly effective—a textbook example of how low-and-slow credential attacks evade modern defenses while still producing enterprise-level breaches.
This analysis breaks down what happened, why it worked, and what security teams need to do right now to close the gaps this campaign exposed.
What Actually Happened: Anatomy of the Attack
Password spraying is not new. The technique—attempting a small number of common passwords against a large pool of accounts—has been a staple of credential-based attacks for over a decade. What made this Microsoft 365 campaign notable was its operational precision and scale. According to Microsoft’s Threat Intelligence disclosures, the actor used a distributed botnet infrastructure spanning thousands of residential IP addresses to avoid triggering velocity-based detection rules. Each IP address made only one or two authentication attempts before rotating, keeping request rates well below standard lockout thresholds.
The “One in a Million” Statistic in Context
Microsoft’s own telemetry suggested the attacker achieved a success rate of approximately 0.001%—one successful compromise per roughly one million attempts. On the surface, that sounds negligible. But when the campaign generates an estimated 200–300 million authentication attempts over several weeks, even that microscopic success rate yields hundreds to low thousands of compromised accounts. Those accounts belonged to real people in real organizations: healthcare administrators, financial analysts, legal coordinators. Each compromised inbox becomes a launchpad for business email compromise (BEC), internal phishing, and data exfiltration.
Infrastructure and Tooling Observed
Researchers attributed the infrastructure to a threat cluster tracked under multiple aliases across vendor ecosystems. The actors leveraged legacy authentication protocols—specifically IMAP and POP3 endpoints—that bypass conditional access policies enforced only on modern authentication flows. This is a well-documented weakness: a tenant can have airtight Azure AD Conditional Access policies and still be exposed if legacy authentication remains enabled for even a small subset of users or service accounts.
Why Microsoft 365 Environments Remain High-Value Targets
Microsoft 365 sits at the intersection of identity, communication, and data storage for over 345 million paid seats globally, according to Microsoft’s FY2025 commercial cloud earnings report. That concentration makes it a structurally attractive target. Compromising a single M365 account gives an attacker immediate access to email history, SharePoint documents, Teams conversations, OneDrive files, and—depending on permissions—connected downstream SaaS applications via OAuth tokens.
The Legacy Authentication Problem Is Still Alive
Microsoft formally announced the deprecation of basic authentication for Exchange Online in October 2022. Yet security audits conducted by Mandiant and other firms throughout 2024 and 2025 consistently found that between 15% and 25% of enterprise tenants still had at least one legacy authentication vector active—often tied to aging line-of-business applications, shared mailboxes, or misconfigured service accounts. The June 2026 campaign exploited exactly this gap. When defenders patched the obvious front door years ago, threat actors simply walked around to the window left cracked open by operational necessity.
Detection Failures: Why Security Controls Missed It
The most instructive aspect of this campaign is not that it succeeded—it’s that it succeeded quietly. Organizations with mature SIEM deployments and Microsoft Defender for Identity licenses still found themselves blind to the activity until post-compromise indicators appeared. Understanding why reveals systemic detection gaps that extend far beyond this single incident.
Distributed Source IPs Defeat Velocity Rules
Traditional brute-force and spray detection relies on correlating multiple failed attempts from a single source or to a single account within a defined time window. When an attacker distributes requests across 50,000 residential proxies, each individual IP generates one failed login—statistically indistinguishable from a user mistyping their password on a home router. Microsoft’s own Entra ID (formerly Azure AD) Identity Protection uses machine learning to correlate these signals, but even ML-based anomaly detection has a baseline noise floor. The attackers appeared to have calibrated their request timing to stay beneath it.
Sign-In Log Retention Gaps
Microsoft 365 Business Standard and Business Premium plans retain Entra ID sign-in logs for only 30 days in the default configuration. The spray campaign ran for an estimated 6–8 weeks before initial compromise indicators surfaced. Organizations without a third-party SIEM ingesting sign-in logs in real time lost the early-phase telemetry entirely—making forensic reconstruction nearly impossible and incident response timelines far longer than they needed to be. The Verizon 2025 Data Breach Investigations Report noted that median attacker dwell time in cloud environments rose to 47 days, a trend this campaign reinforces.
The Business Email Compromise Chain That Followed
Password spray campaigns rarely end with the initial compromise. They’re a means to an end. In the cases Microsoft and third-party incident responders documented publicly, the post-compromise activity followed a consistent playbook that security teams should recognize and hunt for proactively.
From Compromised Inbox to Financial Fraud
After gaining access, the threat actor established inbox rules to silently redirect financial correspondence to attacker-controlled folders—a technique designed to intercept wire transfer confirmations or vendor payment discussions without alerting the account owner. In at least several confirmed cases, attackers impersonated the compromised user in conversations with finance teams, successfully redirecting payments. The FBI’s Internet Crime Complaint Center (IC3) reported BEC losses of $2.9 billion in 2023 and trends suggest the figure continues to climb annually. This campaign’s downstream BEC activity represents a direct contribution to that trajectory.
OAuth Token Persistence
A subtler but equally dangerous post-compromise technique involved registering attacker-controlled OAuth applications within compromised tenants. Because OAuth tokens can persist independently of password changes, resetting an account password does not revoke existing application authorizations. Multiple organizations that reset compromised passwords without auditing OAuth grants found that attackers retained persistent access through delegated application permissions—sometimes for weeks after the “remediation” was considered complete.
Defensive Priorities: What Security Teams Must Act On Now
The good news is that this attack did not exploit a zero-day vulnerability in Microsoft’s platform. It exploited configuration gaps, legacy protocol remnants, and detection blind spots—all of which are fixable. The following defensive measures are ordered by impact-to-effort ratio based on what incident responders found most effective in containing similar campaigns.
Disable Legacy Authentication Without Exception
Run the following check immediately: in Entra ID, use the Sign-in Logs filtered by “Client App” to identify any authentication events using Exchange ActiveSync, IMAP, POP3, or Authenticated SMTP. If legacy protocol usage exists, trace it to its source application and develop a migration path. Microsoft’s Authentication Methods Activity workbook in Entra ID provides a consolidated view. Block legacy authentication using Conditional Access policy targeting “Other Clients” and set the policy to Block. If service accounts require legacy protocols for genuine operational reasons, document them, monitor them obsessively, and escalate the migration timeline.
Extend Sign-In Log Retention and SIEM Integration
Entra ID P1 or P2 licensing extends sign-in log retention to 90 days. For any organization handling sensitive data, that should be the floor, not the ceiling. Stream Entra ID diagnostic logs to a SIEM—Microsoft Sentinel, Splunk, or an equivalent—and build detection rules specifically for distributed spray patterns: failed authentications across many accounts from geographically diverse IPs within short windows, or successful authentications immediately following a series of failures from nearby IP ranges.
Enforce Phishing-Resistant MFA
Standard TOTP-based MFA is increasingly vulnerable to real-time phishing proxies such as Evilginx. Phishing-resistant authentication—FIDO2 hardware security keys or Windows Hello for Business with passkey support—eliminates the credential relay vector entirely. Microsoft’s Secure Score now includes a specific recommendation and scoring weight for phishing-resistant MFA adoption. Organizations should target 100% coverage for privileged accounts and finance roles as an immediate priority, with broader rollout following. CISA’s updated guidance from early 2026 specifically designates phishing-resistant MFA as a Required baseline for critical infrastructure sectors.
Audit OAuth Application Grants Immediately
Navigate to Entra ID > Enterprise Applications and review all third-party OAuth applications with delegated or application permissions. Pay particular attention to applications granted Mail.ReadWrite, Mail.Send, Files.ReadWrite.All, or Contacts.Read permissions. Any unfamiliar application should be treated as suspect. Implement a Conditional Access policy requiring admin approval for new OAuth application consent to prevent future unauthorized grants. Microsoft’s Cloud App Security (now Defender for Cloud Apps) provides automated OAuth app risk scoring that integrates directly into the investigation workflow.
What This Attack Reveals About the Current Threat Landscape
The June 2026 Microsoft 365 password spray campaign is not an outlier—it’s a signal. Threat actors have internalized that modern environments are increasingly hardened against exploitation-based initial access. Patching cadences have improved. EDR coverage has expanded. Zero-day prices on the gray market have climbed precisely because the demand for alternatives is high. Credential-based access—obtained through phishing, spraying, or purchasing from initial access brokers—has become the path of least resistance into enterprise environments.
Microsoft’s own Digital Defense Report 2025 documented that password attacks constitute over 99% of identity-based attacks they observe, with spray campaigns representing the largest volume category. The attack surface is not the technology stack. The attack surface is the credential layer sitting in front of it—and that layer is only as strong as the weakest authentication configuration in the tenant.
“The attack surface is not the technology stack. The attack surface is the credential layer sitting in front of it.”
Security leaders should use this incident as an internal forcing function. Board-level conversations about identity security investment have historically been difficult to sustain without a tangible incident narrative. This campaign—widely reported, technically documented, and directly attributable to common configuration failures—provides exactly that narrative. The organizations that respond to this news by auditing their own tenants will be materially better positioned than those that treat it as someone else’s problem.
Key Takeaways
- Low success rates don’t mean low impact: A 0.001% success rate across hundreds of millions of attempts still yields hundreds of compromised accounts, each representing real organizational risk.
- Legacy authentication is the open window: Even tenants with mature Conditional Access policies remain exposed if IMAP, POP3, or basic SMTP authentication endpoints are active. Audit and block them without exception.
- Detection requires more than default logging: Thirty-day log retention windows and velocity-based rules alone cannot catch distributed spray campaigns. SIEM integration, extended retention, and behavioral analytics are non-negotiable baseline requirements.
- Password resets are not complete remediation: Post-compromise OAuth application persistence means attackers can retain access after credentials are changed. Always audit and revoke OAuth grants as part of incident response.
- Phishing-resistant MFA is the structural fix: FIDO2 and passkeys eliminate the credential interception vector that makes spray-to-phishing-proxy chains possible. Adoption should be accelerated for high-risk roles immediately.
Conclusion: Turn News Into Action Before Your Organization Becomes the Next Case Study
The Microsoft 365 password spray campaign of June 2026 will be studied in security operations training materials for years. Not because the technique was novel, but because it succeeded at scale against organizations that believed their defenses were adequate. The gap between “we have MFA deployed” and “we are protected against credential-based attacks” is wider than most security teams realize—and this campaign measured that gap in compromised mailboxes and redirected wire transfers.
Your action item is specific and time-bounded: this week, pull your Entra ID sign-in logs, filter for legacy authentication protocols, audit your OAuth application grants, and verify your Conditional Access policies include an explicit block on legacy client authentication. If your organization lacks the Entra ID P1 or P2 licensing needed to build those policies, escalate that gap to leadership with this incident as the business case. The cost of the license is a rounding error compared to the median BEC loss of $125,000 per incident reported by IC3. The data makes the argument for you—use it.
💡 Enjoyed this article?
Subscribe for more expert insights delivered to your inbox.
Follow us or subscribe below xe2x80x94 free, no spam.





