Between June 12 and June 26, an actor operating under the name LSHIY LLC ran 81 million Microsoft 365 login attempts against targets across 64 organizations. By June 26, when Huntress published its analysis, 78 accounts were confirmed compromised across those organizations, with 30 identities falling in a single peak day on June 22. The raw numbers are large but not themselves the story. The mechanism is: LSHIY exploited the Resource Owner Password Credentials (ROPC) OAuth flow, a grant type Microsoft deprecated in 2019 that accepts plaintext username and password credentials and, by design, bypasses both Conditional Access Policy and MFA enforcement. This is not a CVE. There is no patch. The bypass works because it is supposed to work that way.
Microsoft deprecated ROPC because it concentrates credentials in the client and eliminates the broker-mediated authentication that makes MFA possible. The documentation recommends against it; the API still answers. Organizations with ROPC traffic enabled in their tenant were exposed throughout this campaign regardless of their MFA posture. Huntress reported a 155x surge in credential spray volume across its customer base during the June 12-26 window, indicating LSHIY’s campaign ran alongside coordinated spray infrastructure well beyond one actor’s footprint.
The Protocol Debt Problem
ROPC persists because legacy applications, particularly older on-premises tools integrated to Microsoft 365 before modern authentication matured, depend on it. Disabling it breaks those workflows. This is the same backward-compatibility calculus that kept NTLM alive for two decades and kept Basic Auth in Exchange for years past its useful life. The pattern is consistent: Microsoft deprecates a credential-handling mechanism, organizations carry it forward for compatibility, attackers exploit it at scale precisely because the deprecation signaled where the soft tissue is.
What makes the LSHIY campaign analytically significant beyond its scale is the timing. Monday’s report covered the Klue/Icarus OAuth cascade, which weaponized OAuth delegation chains to cascade from one SaaS breach into simultaneous access across a dozen security vendors without exploiting a single additional CVE. LSHIY’s ROPC spray represents the other end of the same OAuth attack spectrum: not a sophisticated delegation pivot but brute-force credential stuffing against a protocol flow that strips MFA by architecture. Two independent OAuth attack vectors in the same week, from different actors with different sophistication levels, converging on the same structural weakness. Organizations that audited OAuth grants after Klue and declared the OAuth problem addressed should reconsider that assessment.
For defenders, the immediate action is identifying whether ROPC is active in your tenant. In Entra ID, navigate to Enterprise Applications and look for authentication flows with ROPC grants, or review sign-in logs filtered to Grant Type: password. Conditional Access policies with the “Authentication flows” condition and a ROPC block are available in Entra ID P1, though not all tenants have deployed them. Hunting on sign-in logs for the June 12-26 window, looking for high-velocity login attempts from non-interactive flows without MFA satisfaction, is the correct forensic starting point for any organization running Microsoft 365.
SimpleHelp: CVSS 10.0, Federal Deadline Today, Payloads Targeting AI Keys
The other development that cannot wait for Monday’s report: CISA added CVE-2026-48558 to the Known Exploited Vulnerabilities catalog on June 29 with a federal remediation deadline of today, July 2. The flaw is a CVSS 10.0 signature-verification skip in SimpleHelp’s OIDC authentication flow. An unauthenticated attacker forges identity tokens, creates a Technician account, and obtains administrative control over every endpoint that RMM instance manages. Arctic Wolf confirmed active exploitation delivering the TaskWeaver loader and Djinn Stealer. The specific payload detail matters: Djinn Stealer targets cloud and AI API keys, not just general credential stores.
The attacker logic here is efficient. Compromising an RMM platform gives administrative access to every managed endpoint in one operation. Targeting API keys for cloud and AI services in the resulting payload positions attackers to monetize compromised credentials through cloud resource abuse and AI inference hijacking, both increasingly high-value paths given the compute costs and access those credentials represent. Patches shipped in late May as SimpleHelp versions 5.5.16 and 6.0 RC2. An organization that has not applied those patches in the five weeks since release is running CVSS 10.0-exposed RMM infrastructure with active exploitation in the wild. The KEV deadline gives federal agencies until end of business today; private sector organizations should treat that timeline as a benchmark, not a maximum.
A third vulnerability worth flagging: Progress Kemp LoadMaster CVE-2026-8037 (CVSS 9.6) saw exploitation attempts on June 29, the same day watchTowr Labs published a detailed write-up with a full exploit chain. The root cause is an uninitialized buffer in the escape_quotes() sanitization function that omits a null terminator, allowing OS command injection as root via an unauthenticated API request. eSentire’s Threat Response Unit confirmed active exploitation attempts within hours of publication. Kemp LoadMaster is widely deployed in financial services and healthcare load-balancing infrastructure. Same-day exploitation of a published PoC is now a consistent enough pattern that any public PoC publication for a network-exposed component should trigger immediate patching triage rather than the traditional 30-day patch window reasoning.
Escalation from Monday: Japan Sector Wave Extends
Monday’s report noted KDDI’s disclosure of a 14.2 million account credential breach as a standalone item. Since then, Aflac Life Insurance Japan confirmed attackers accessed its policyholder portal between June 15 and June 25, extracting records on 4.38 million customers including names, addresses, dates of birth, and insurance policy details, with bank transfer account data for approximately 230,000 individuals also exfiltrated. Japanese brewer Sapporo and electronics manufacturer Nidec disclosed separate cyber incidents in the same week.
Four significant breach disclosures from Japanese organizations in ten days is not coincidence at this point; it is a targeting pattern. The KDDI incident and Aflac Japan breach both show access windows that opened in mid-June, which suggests a coordinated campaign rather than independent opportunistic attacks. No single threat actor has been publicly attributed across these incidents. That attribution gap is itself worth noting: concentrated sector targeting without a clear threat actor signal often means initial access brokers are selling the same access across separate buyers, or a single actor is managing multiple simultaneous intrusions and releasing disclosures on its own schedule.
What to Watch
Two threads before Monday. The Kemp LoadMaster same-day exploitation established that PoC publication latency is now measured in hours for network-exposed appliances; Progress has not published patch version timelines for all affected LoadMaster branches (GA versions through 7.2.63.1 and LTSF versions through 7.2.54.17), and the financial sector deployment footprint means this could surface in major breach disclosures quickly. Separately, watch for ROPC spray tooling to commoditize: the LSHIY campaign demonstrates that ROPC bypass infrastructure can run at 81 million attempts over two weeks from a single named entity. That playbook will be replicated.
Security Unlocked publishes threat intelligence and strategic analysis twice weekly. This mid-week brief covers developments from June 29, 2026 through July 2, 2026.
Security