The global campaign, which occurred between July and September, mostly targeted organizations in the Americas region.
The two important-severity flaws are publicly known and are part of Microsoft’s regularly scheduled Patch Tuesday releases, which overall included more than 100 fixes.
An Iran state-backed group called Peach Sandstorm is using password spraying attacks to target cloud environments in organizations across many industries.
Microsoft is warning enterprises about a recent Teams-based phishing campaign operated by a developing thrat group known as Storm-0342.
The Microsoft flaws join a rash of zero days disclosed over the past week by various companies, including Apple, Google and Adobe.