Threat actors exploited an exposed Spring Boot Actuator endpoint and plaintext credentials found in a spreadsheet to authenticate via the legacy ROPC flow. This allowed them to bypass MFA, obtain a Microsoft Graph access token, and exfiltrate sensitive data from SharePoint Online without deploying malware.