Threat Actor Uses Deprecated OAuth 2.0 Authentication Flow Attackers behind a password-spraying campaign targeting Microsoft Office 365 accounts have amassed dozens of victims by abusing a deprecated feature in OAuth 2.0 to generate access tokens, in some cases sidestepping multifactor authentication controls, warn researchers.