Identity-Centric MDR Powered by Best-in-Class Controls.
SentinelOne + SentinelOne
Learn More
Back to blog

The 90-Day Siege: Inside a Global Campaign

Author Profile Image

Elli Shlomo

A glowing red padlock icon appears at the center of a digital world map, surrounded by data charts and graphs, representing cybersecurity and data protection amid a global campaign. The text Research Insights is displayed in the top left corner.
In This Article

I love posts that come directly from the trenches because they highlight the real operational reality behind the scenes. This time, we are sharing insights from one of our research projects focused on a specific campaign.

This post presents a comprehensive 90-day analysis of identity attacks, such as password spraying, brute force, and other activities observed across Entra ID from December, 2025 through March 2026, covering three geographic regions: the United States, the European Union, and Australia. The analysis encompasses more than 45 million authentication events, revealing a sustained, coordinated, multi-source credential attack campaign that operated continuously for the entire observation period.

Authentication telemetry over the 14-week observation window indicates a sustained, high-volume brute-force campaign with stable, predictable weekly patterns. US-sourced wrong-password events consistently plateaued between approximately 570,000 and 637,000 per week from late December through early March, translating to an average rate of ~59 failed authentication attempts per minute on a continuous, 24/7 basis.

Still have questions before choosing a plan?
Talk to a real human. No forms. No waiting. No Slack account needed.
Chat with us

No Slack account needed.

Password Spray Velocity

The stepped area chart above illustrates the ‘always-on’ nature of this campaign. The velocity remained above the 50 failures/minute danger threshold for 12 consecutive weeks. The dramatic cliff drop in the week of March 16 represents an 83% reduction, from a 12-week average of approximately 61 failures/minute to just 10.8 failures/minute. The peak of 63.4/minute was observed in the week of March 9.

Line graph titled Password Spray Velocity (US Region) showing failed authentications per minute from late December to early April during the global campaign known as the 90-Day Siege. Most values stay above the Danger Zone, with a sharp drop in early April as Campaign Shift.

Attack traffic rapidly escalates from an initial baseline to a sustained plateau ranging between ~55–63 attempts per minute, consistently exceeding the defined alert threshold (50/min). This sustained elevation indicates automated password spraying activity rather than opportunistic or manual attempts.

The campaign demonstrates operational stability and controlled execution, with minimal fluctuation over multiple weeks, suggesting the use of distributed infrastructure and rate-limiting evasion techniques to remain below hard lockout thresholds while maximizing coverage.

Notably:

  • The attacker maintains persistent pressure within a narrow velocity band, indicative of credential stuffing or password spraying tooling configured for stealth and longevity
  • Activity remains continuously above the detection threshold, signaling ongoing exposure and elevated risk to account security
  • A sharp drop-off near the end of the timeline likely reflects campaign termination, infrastructure rotation, or temporary throttling following detection or mitigation actions

Overall, the pattern aligns with a long-running, low-and-slow authentication attack campaign optimized for evasion, scale, and persistence, rather than short-lived brute-force spikes.

Cross-Region Attack Volume

The US region remained the primary attack surface, consistently accounting for ~80% of total observed authentication events across all regions, indicating concentrated adversary focus and infrastructure targeting.

In contrast, EU telemetry exhibited a distinct behavioral pattern, where lockout events significantly outpaced wrong-password attempts, suggesting a divergent attack methodology, likely credential stuffing leveraging higher-confidence credential sets that increase lockout frequency. Meanwhile, AU activity, although comparatively low in volume, demonstrated a gradual escalation through February before tapering off in March, potentially indicating opportunistic targeting or spillover from broader campaign infrastructure.

Bar chart comparing attack volumes across US (red), EU (blue), and AU (green) from 3/22 to 4/03. The US leads significantly throughout this Global Campaign, with all regions peaking around 3/30. EU and AU remain much lower inside this period.

This cross-region authentication attack volume reveals clear priorities for adversary targeting.

  • The US consistently dominates activity, indicating that it is the campaign’s primary focus.
  • EU activity remains lower but shows a steady increase, suggesting gradual expansion or adaptive targeting.
  • AU maintains the lowest volume, with a similar upward trend before declining.

The synchronized growth across regions points to coordinated infrastructure and distributed execution. The sharp drop at the end likely reflects campaign disruption, infrastructure rotation, or mitigation efforts impacting attacker operations.

Account Lockout Trends

Account lockouts are a lagging indicator of password spray intensity. US lockouts peaked at 257,764 in the week of March 2, the highest weekly lockout count in the observation period, corresponding to organizational accounts being cycled through attacker password lists.

EU lockouts showed a dramatic escalation from a baseline of approximately 30,000/week to a peak of 127,989 in the week of March 16, suggesting a secondary spray campaign that intensified as the US campaign wound down. This is a significant finding: the EU lockout surge beginning in late February may represent a coordinated handoff or parallel campaign by the same threat actor.

Line graph titled Account Lockout Trends by Region shows weekly account lockouts for US, EU, and AU from 1/22 to 4/22, highlighting a sharp US spike—over 250K in early April—inside a global campaign dubbed the "90-Day Siege.

The lockout trends indicate a high-risk authentication attack campaign with measurable user impact and potential exposure to account compromise. The sustained and increasing lockout volumes, particularly in the US region, suggest effective password spraying or credential stuffing activity reaching lockout thresholds at scale, increasing the likelihood of successful account access attempts within the same campaign.

Note: This does not include account lockouts caused by user actions or IT-related issues.

Password Spray Infrastructure Analysis

Analysis of the IP addresses responsible for spray activity reveals a highly distributed botnet infrastructure spanning 25+ countries. The geographic diversity, combined with the coordination in targeting patterns, is consistent with a professional threat actor renting or controlling a proxy/VPS network, or leveraging a commercially available credential testing service.

Bar chart showing the top 20 IP addresses involved in password spraying attacks in the US during a 90-Day Siege. The x-axis shows unique users targeted (up to ~1750) and the y-axis lists IPs, with bars shaded in red tones—an inside look at a global campaign.

Every IP in the top 20 carries an AbuseIPDB score of 100/100 and achieved zero successful authentications — confirming these are purely spray sources without direct compromise capability. The top IP (87.103.126.54, Portugal) targeted 1,856 unique users, approximately 1.8x as many as the 20th-ranked IP. The 103.x.x.x South African IP cluster (102.53.15.17, .18, .56) targeting 3,457 users combined suggests a sub-region within the botnet assigned specifically to African exit nodes.

Attack Geographic Distribution

South Korea dominates the spray infrastructure with 18 unique IPs, all originating from KT (Korea Telecom), South Korea’s largest ISP. This concentration on a single ISP suggests either a specific targeting of Korean infrastructure or that KT’s network is commonly exploited for residential/business proxy abuse. China contributes 10 IPs across China Unicom (6), China Telecom (2), and China Mobile (2).

Treemap showing Spray Infrastructure by Country (90 Days), part of a global campaign. Largest areas: China, South Korea, Russia, and the US. Smaller blocks represent other countries; color indicates number of IPs involved in the 90-Day Siege.

ISP Concentration Analysis

A table lists ISPs, countries, IP counts, and risk assessments. Inside the data, KT (South Korea) has 18 IPs marked Critical. China Unicom (China) shows 6 High-risk IPs. Others have lower counts and medium to low risks.

Attack Protocol Analysis

The attack protocol distribution, with BAV2ROPC dominating at 78%, indicates primary adversary reliance on non-interactive authentication flows. This method is notable for bypassing legacy MFA and Conditional Access controls, significantly increasing the risk of account compromise.

Interactive browser activity accounts for 10%, while other protocols remain minimal. The heavy concentration on BAV2ROPC suggests deliberate attacker optimization for stealth, scalability, and control evasion within identity infrastructure.

A donut chart titled Attack Protocol shows BAV2ROPC at 78%, Interactive Browser at 10%, Windows-AzureAD-Auth at 7%, PRT (sts and mobile) at 3%, and Other at 2%. A note highlights that BAV2ROPC bypasses MFA enforcement in this Global Campaign.

BAV2ROPC Deep Dive

BAV2ROPC (Basic Authentication Version 2, Resource Owner Password Credentials) is a legacy OAuth 2.0 flow that transmits credentials directly to Microsoft’s authentication endpoint. Unlike interactive browser-based authentication, ROPC flows bypass many security controls, including device compliance checks, location-based Conditional Access, and some MFA enforcement mechanisms.

The BAConsumerV2ROPC variant was also observed, targeting consumer Microsoft accounts using the same bypass technique. Together, these two ROPC variants accounted for approximately 80% of all spray attempts observed in this analysis.

A table summarizing attributes, values, and security impacts of OAuth2 ROPC flow—highlighting grant type as password, partial MFA bypass, global campaign risks like conditional access weaknesses, and 90-Day Siege exposures in red text.

Behavioral Indicators

A table lists security indicators, severity, and descriptions for various attack scenarios. Critical and high severities are highlighted for user-agent, IP targeting, global campaign incidents, and account compromise scenarios.

Entra ID Error Code Reference

A table with columns: Error Code, Meaning, Attack Relevance, and Recommended Action. Inside, two rows (50074, 50140) are highlighted in red, indicating session compromise issues often linked to global campaign threats and forced password reset recommendations.

Failures Per Minute Analysis

This chart shows the average number of failed authentications per minute across all three operational regions over the full 90-day observation period. The metric is calculated by dividing total daily failures (invalid credentials + account lockouts) by 1,440 minutes per day.

A stacked area chart shows failed authentication attempts per minute across regions over a 90-Day Siege, highlighting peaks, average values, and notable events inside the global campaign with annotated callouts.
  • Peak velocity of 135 failed authentications per minute (combined) occurred on March 14, 2026, driven by a massive US-region spray surge that generated 170,957 total failures in a single day (118.7 fails/min in the US alone). This represents one failed authentication attempt every 0.44 seconds.
  • The campaign maintained a sustained baseline of 75-90 combined fails/min from December 2025 through mid-March 2026 (83 consecutive days). This consistency across weekends and holidays confirms a fully automated, 24/7 botnet infrastructure with no human operator involvement.
  • The dramatic cliff on March 16 saw US failures drop from 74/min to 36/min overnight, cutting the combined rate in half. However, EU failures simultaneously surged from a baseline of ~7/min to 17-19/min, suggesting a partial infrastructure migration from the US to the EU target.
  • The severity color coding in the bottom panel shows the US region spent 79 of 90 days (88%) above the ELEVATED threshold (60 fails/min), and only dropped below MODERATE (40 fails/min) after the March 16 campaign shift. The current rate of ~31 combined fails/min still exceeds healthy baselines.

A secondary spike in February (104 combined fails/min) preceded the main surge and may have represented a test run or a target list refresh by the spray campaign operator. The Jan spike (88/min) follows the same pattern.

MSP Angle: Multi-Tenant Risk at Scale

For Managed Service Providers (MSPs), campaigns like this introduce amplified risk due to the multi-tenant nature of identity infrastructure. A single coordinated credential attack does not target one environment. It scales horizontally across multiple tenants, increasing both exposure and potential impact.

The sustained volume and distribution observed in this campaign indicate that attackers are systematically targeting identities across managed environments. Weak configurations, inconsistent MFA enforcement, or legacy authentication gaps in a single tenant can serve as entry points while remaining hidden amid high authentication noise.

Protocols such as BAV2ROPC further complicate defense by enabling authentication flows that bypass traditional Conditional Access and MFA protections, reducing the effectiveness of standard security baselines.

Operationally, this results in increased alert fatigue, an elevated risk of credential reuse across tenants, and detection challenges as attack traffic blends with legitimate activity.

Tips for MSPs

  • Adopt Phishing-Resistant Authentication with Passkeys: Standardize on passkeys and FIDO2-based authentication across all tenants to eliminate phishing and significantly reduce the risk of credential theft, especially for privileged and external access.
  • Minimize Blast Radius by Design: Architect environments to limit impact through least privilege, role segmentation, Just-In-Time (JIT) access, and strict administrative boundaries, containing compromise within isolated scopes.
  • Eliminate Password Dependency: Transition to passwordless or password-minimized authentication models to neutralize password spraying and credential stuffing attack vectors.
  • Leverage Identity Threat Detection and Response (ITDR): Deploy advanced identity-focused detection that correlates behavioral signals to identify attacker techniques such as token abuse, anomalous access patterns, and stealthy persistence.
  • Standardize Security Baselines: Ensure consistent Conditional Access, password policies, and monitoring configurations across all tenants.

Closing

This campaign reinforces a critical reality: identity has become the primary battleground. The scale, persistence, and coordination observed over these 90 days highlight how adversaries are optimizing for stealth, longevity, and success against modern authentication systems. Defenders must assume continuous exposure and adapt accordingly by strengthening controls, visibility, and resilience across identity infrastructure.

Resources

Discover more tools, scripts and tips in the Security Research Labs

Baseline Security Mode for SMBs – Why it Matters  

Categories:
Cyber Security
MSP
  • Share On:
Author Profile Image

Elli Shlomo

Head of Security Research at Guardz

Linkedin

Subscribe to
Our Newsletter.

Continue Reading

A digital dashboard shows a list of users, with one dormant hybrid account highlighted in red and marked with an error icon. A callout reads “MFA not registered.” The background is dark with geometric patterns.

Uncovering a Dormant Hybrid

Beyond News
A digital diagram showing a central IP address connecting to various icons labeled Key Vault, Storage Account, Graph, and API—demonstrating Azure Managed Identity usage—with warning symbols near the API. Research Insights is highlighted at the top left.

Exploiting Azure Managed Identity Tokens from IMDS

Cyber Security
MSP
Logos of Guardz and C-Data are shown side by side with a plus sign between them, on a dark background with green circuit-like lines, highlighting a partnership in cybersecurity solutions for MSPs.

Guardz and C-Data Partner to Bring Scalable Cybersecurity to MSPs Serving the SMB Market

Cyber Security
MSP
A person in a futuristic chair sits at a high-tech control panel, looking out at a starry space scene with planets and mountains. The dashboard glows with colorful buttons and screens, like the perfect single post template for exploring new worlds.

Guardz, Your Cybersecurity
Co-Pilot for MSPs

Demonstrate the value you bring to the table as an MSP and gain visibility into your clients’ external postures.

Get Started
Holistic Protection.
Hassle-Free.
Cost-Effective.
Get Started
Book a Demo
Slack
Slack
Chat with us No Slack account needed.