The issue is caused by legacy Microsoft 365 settings such as WS-Trust, it is recommended to confirm if they are required or not.
Follow the steps below in order to secure your environment.
Step 1: Review the OneLogin Logs Navigate to Activity > Events and filter for User Failed Authentication to confirm if failed attempts specifically cite WS-Trust authentication, which indicates a password spray attempt.
Step 2: Understand the Source of the Attacks Recognize that these attacks target Microsoft 365 rather than OneLogin directly; Microsoft 365 passes these failures and source IPs to OneLogin through legacy protocols that lack modern security protections.
Step 3: Check If WS-Trust Is Actually Needed Determine if your environment requires WS-Trust, as it is typically only necessary for AD-Joined or AAD-Joined machines; if these are not in use, the protocol can be safely disabled.
Step 4: Enable Modern Authentication in Microsoft 365 Verify that Modern Authentication is active within the Microsoft 365 Admin Center to ensure your environment utilizes stronger security controls against legacy-based attacks.
Step 5: Disable Legacy Authentication Protocols In the Microsoft 365 Admin Center, disable IMAP, POP, and EAS to prevent attackers from using these vulnerable protocols to conduct unauthorized login attempts.
Step 6: Update the Office 365 App in OneLogin Align your OneLogin configuration with Microsoft security updates by opening the Office 365 V2 app, navigating to the Configuration tab, and unchecking the WS-Trust box.
© 2026 ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center