[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fLKa1LIMS-vYEjSjRwPYW-U7TGWBXGcGyj5ZKBo4ZnqU":3},{"article":4,"iocs":54},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":31,"category":32,"article_tags":36},"2e1d54da-cb76-46b6-afa8-30c0be03ddd1","Azure CLI Password Spray Hits at Least 78 Microsoft Accounts in 81M+ Attempts","azure-cli-password-spray-hits-at-least-78-microsoft-accounts-in-81m-attempts-374f9a","Cybersecurity researchers have warned of a \"massive, ongoing, automated password spray attack\" aimed at Microsoft's Azure command-line interface (CLI), compromising dozens of accounts in the process. The activity, per Huntress, originates from an IPv6 address range (2a0a:d683::\u002F32) controlled by internet infrastructure provider LSHIY LLC (AS32167). \"Between June 12 and June 26, the threat","A massive, automated password spray attack targeting Microsoft's Azure CLI has compromised at least 78 accounts across 64 organizations. The threat actor utilized a deprecated OAuth flow (ROPC) to bypass Conditional Access policies, even in environments with MFA enabled, by exploiting misconfigurations. The attack, originating from an IPv6 range controlled by LSHIY LLC, involved over 81 million login attempts between June 12 and June 26, 2026.","Azure CLI targeted by password spray attack, compromising 78 accounts via deprecated OAuth flow.","Azure CLI Password Spray Hits at Least 78 Microsoft Accounts in 81M+ Attempts Ravie LakshmananJul 01, 2026Password Security \u002F Cloud Security Cybersecurity researchers have warned of a \"massive, ongoing, automated password spray attack\" aimed at Microsoft's Azure command-line interface (CLI), compromising dozens of accounts in the process. The activity, per Huntress, originates from an IPv6 address range (2a0a:d683::\u002F32) controlled by internet infrastructure provider LSHIY LLC (AS32167). \"Between June 12 and June 26, the threat actor behind it made more than 81 million login attempts and successfully compromised at least 78 Microsoft accounts across 64 organizations,\" the company said in a statement. \"The targeting of these attacks seems to be based entirely on password prevalence on compromised password combo lists, and is not specific to business type or industry.\" What makes the password spray attack noteworthy is not only the scale, but also the fact that many of the compromised organizations had Conditional Access policies enabled. Specifically, the campaign has been found to leverage a deprecated OAuth flow called Resource Owner Password Credentials (ROPC) to bypass Conditional Access Policy (CAP) protections. ROPC is a legacy OAuth 2.0 grant type where a user directly provides their username and password to a client application, which then sends these credentials to an authorization server to exchange them for an access token. It was deprecated in OAuth 2.1. In its documentation, Microsoft recommends customers against using the ROPC, arguing it's incompatible with multi-factor authentication (MFA). \"In most scenarios, more secure alternatives are available and recommended,\" the tech giant says. \"This flow requires a very high degree of trust in the application, and carries risks that aren't present in other flows. You should only use this flow when more secure flows aren't viable.\" The credential and token spray attacks are said to have resulted in a handful of successful logins per day between June 12 and 21, 2026, averaging two to four accounts being compromised daily, with the exception of June 19, when 12 user accounts (aka identities) were compromised. The steady cadence changed on June 22, with 30 identities across 23 businesses impacted. In all, 78 user accounts were compromised across 64 organizations as part of the campaign. The vast majority of the password spraying activity emanated from LSHIY LLC. Some of the IP addresses resolve to the U.S., while a few others resolve to China. \"These attacks are part of a large wave of credential spray attacks across a few different ASNs,\" Huntress said, adding it has witnessed the volume of credential spray attacks surge by over 155 times across its customer base. \"Attacks surged in particular in late May through early June, with a current mean value of about 1,964 failed attacks per month per Huntress-protected tenant.\" The activity appears to specifically weaponize old username\u002Fpassword combinations that were previously breached but had never been rotated. The use of the ROPC vector meant that the attackers were able to target enterprises that had implemented MFA, but it wasn't enforced or configured to account for Azure CLI ROPC logins. This included scenarios where MFA wasn't triggered - Enforcing MFA only for specific apps, as opposed to \"All Cloud Apps,\" thereby failing to cover Azure CLI logins used by the threat actors Enforcing MFA only for specific user groups, such as Admins Enforcing MFA only when requests originate from non-trusted locations \"It's worth noting that eight businesses impacted by the campaign had no MFA policy at all,\" Huntress said. \"While threat actors in this campaign were able to get in despite MFA being set up, the takeaway should not be that MFA doesn't work at all; instead, organizations should ensure that their MFA policies are properly configured to address the authorization flow used across these incidents.\" To counter this line of attack, organizations are advised to require MFA for All Users, All Cloud Apps, and All Client App types when enabling CAP, restrict the Azure CLI application for non-admin users, and prioritize response by credential validity. \"This attack reveals cracks in CAPs that haven't been appropriately configured,\" Huntress researchers concluded. \"There are still potential weaknesses in how CAPs are deployed that can allow threat actors to slip through. One glaring error here is that legacy protocols like ROPC can bypass some poorly-configured CAPs entirely since they don't go through the authorization endpoint where policies are enforced.\" Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Azure CLI, Cloud security, Credential Attack, Huntress, MFA, Microsoft, OAuth, Password Spray ⚡ Top Stories This Week Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability New Gaslight macOS Malware Uses Prompt Injection to Disrupt AI-Assisted Analysis Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access Google Sets Sept. 30 Deadline for Android Developer Verification in Four Countries Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation Fake AI Agent Skill Passed Security Scans and Reportedly Reached 26,000 Agents WhatsApp VBScript Campaign Uses Fake Documents to Install ManageEngine RMM Tool 29-Year-Old Squid Proxy Bug 'Squidbleed' Can Leak Cleartext HTTP Requests ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More Unpatchable 'usbliter8' Exploit Breaks Apple A12 and A13 SecureROM Boot Chain The Gentlemen RaaS Uses GentleKiller EDR Framework Targeting 400 Security Processes AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution CISA Warns Fortinet Customers as FortiBleed Hits 86,644 FortiGate Devices F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution Salesforce Disables Klue App Integration After OAuth Token Abuse Exposes Customer Data ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale [Watch Demo] See Which Security Gaps Attackers Could Exploit First AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check","https:\u002F\u002Fthehackernews.com\u002F2026\u002F07\u002Fazure-cli-password-spray-hits-at-least.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEjlhMdp0ML_DO3inv2zhyphenhyphenoZ9CmB1ESRBbVh_YHPol3serW7D4zTsXPGVjF62GhEcvamH6fmTs0ZLguVOM72ynrL6ebpPxBgpCv3XeUJNCb4un1Ue4o1V5BjB4r9pEnW_t717d8d49ZdH4OPavLgNkov9VNaJDMruqwG65QoBkxpzFx8q7QofYHuH9gDie-O\u002Fs1600\u002Flogin.jpg","2026-07-01T05:46:03+00:00","2026-07-01T06:00:19.794809+00:00",8,[18,21,24,27,29],{"name":19,"type":20},"Azure CLI","product",{"name":22,"type":23},"Microsoft","vendor",{"name":25,"type":26},"OAuth","technology",{"name":28,"type":26},"MFA",{"name":30,"type":20},"Conditional Access policies","e7b231c8-5f79-4465-8d38-1ef13aea5a14",{"id":31,"icon":33,"name":34,"slug":35},null,"Threat Intelligence","threat-intelligence",[37,42,47,52],{"category":38},{"id":39,"icon":33,"name":40,"slug":41},"2c8f44d4-b56e-47cf-9677-04f22c9ee78d","Identity & Access","identity-access",{"category":43},{"id":44,"icon":33,"name":45,"slug":46},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":48},{"id":49,"icon":33,"name":50,"slug":51},"c70f3a41-2f0c-4608-870d-b8cbcd8be076","Cloud Security","cloud-security",{"category":53},{"id":31,"icon":33,"name":34,"slug":35},[]]