Massive Password Spray Campaign Targeting Azure CLI
Hackers conducted 81M+ password spray attacks on Azure CLI targeting Microsoft 365 across 64 organizations.
Summary
A massive credential spray campaign exploited the deprecated OAuth ROPC flow to compromise 78 user accounts across 64 organizations between June 12-21. Attackers made over 81 million login attempts originating from AS32167 (LSHIY LLC), succeeding despite some MFA implementations due to improper MFA configuration that failed to cover OAuth ROPC authentication flows. The campaign highlights how weak MFA policies and reliance on deprecated authentication methods can undermine security controls.
Full text
Threat actors are compromising Microsoft 365 environments in a massive password spray campaign targeting the Azure CLI, cybersecurity firm Huntress warns. Between June 12 and 21, the company observed over 81 million login attempts against its customers, with 78 user accounts across 64 organizations already compromised. During the two-week window, the hackers compromised 2-4 accounts daily, with a spike around June 22, when 23 businesses were compromised. According to Huntress, most of the login attempts originated from AS32167, an autonomous system linked to internet hosting provider LSHIY LLC. “These attacks are part of a large wave of credential spray attacks across a few different ASNs. In the past six months, Huntress has observed the volume of credential spray attacks increase by over 155 times across our customer base,” the cybersecurity company says. Huntress noticed a surge in password spray attacks in late May and early June, across multiple businesses. The attacks seem based entirely on compromised password combo lists, it says.Advertisement. Scroll to continue reading. As part of the Azure campaign, the attackers have relied on the OAuth ROPC (Resource Owner Password Credentials) flow to validate credentials. Deprecated in OAuth 2.1, this auth flow mints a new user-delegated token when receiving the right credentials. This means that, even if multi-factor authentication (MFA) is enabled, the attackers can successfully compromise accounts if the MFA has not been configured to cover the OAuth ROPC authentication flow. “ROPC is considered problematic for several reasons, but one of those reasons is that it doesn’t offer support for modern auth flows like MFA or SSO. That means, as we saw in this campaign, ROPC sends the password straight to the /token endpoint with no interactive MFA prompt,” Huntress explains. Analyzing some of the compromises, Huntress discovered that the MFA configurations had certain weaknesses: MFA was not enforced for all cloud applications, was enforced for certain user groups only, was required for non-trusted locations only, or was implemented and never enforced. “It’s worth noting that eight businesses impacted by the campaign had no MFA policy at all. While threat actors in this campaign were able to get in despite MFA being set up, the takeaway should not be that MFA doesn’t work at all; instead, organizations should ensure that their MFA policies are properly configured to address the authorization flow used across these incidents,” the cybersecurity firm notes. The IPv6 address range from which the attacks originated belongs to LSHIY, an internet infrastructure provider registered in Hong Kong, Wuhan, China, and New York. Other reports that the IPv6 ranges associated with AS32167 and AS955, two ASNs operated by the firm, originate in China exist as well. Huntress says it reported the malicious activity to LSHIY via its abuse reporting mechanism, but received no response. Related: Exploitation of Recent Oracle E-Business Suite Vulnerability Begins Related: Researchers Demo New Claude Code Attack Using Harmless-Looking Repositories to Hijack Developer Machines Related: BlueHammer Vulnerability Exploited in Ransomware Attacks Related: US Offers $10 Million Bounty for Russian State Hackers as Messaging App Attacks Evolve Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire Critical SimpleHelp Vulnerability Exploited for Malware DeliveryQuantifind Raises $200 Million for AI-Native Risk IntelligenceResearchers Demo New Claude Code Attack Using Harmless-Looking Repositories to Hijack Developer MachinesStraiker Raises $64 Million for AI Security Platform‘DirtyClone’ Linux Kernel Vulnerability Leads to Root AccessUS Offers $10 Million Bounty for Russian State Hackers as Messaging App Attacks EvolveChinese Framework Powers 200,000 Scam SitesMore Klue Breach Victims Identified as Hackers Get Hacked Latest News Google Patches 382 Chrome VulnerabilitiesBlueHammer Vulnerability Exploited in Ransomware AttacksDecades-Old Bash Tricks Expose AI Coding Agents to Supply Chain AttacksAflac Japan Data Breach Impacts 4.38 MillionHacker Conversations: Chris Thompson, Former Head of IBM X-Force Red, Co-Founder of RemoteThreatSupreme Court Rules Constitutional Privacy Protections Apply to Cellphone Users’ Location HistoryExploitation of Recent Oracle E-Business Suite Vulnerability BeginsThe AI Token Costs That Can Break Cybersecurity Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Why Email Security Keeps Failing (And What Has to Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 16, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the MoveTracey Mustacchio has joined Everfox as Chief Marketing Officer.Mark Carter has been appointed Chief Information Security Officer at Socure.Spektrum Labs has named Mark Cravotta Chief Operating Officer.More People On The MoveExpert Insights The AI Token Costs That Can Break Cybersecurity As cybersecurity platforms embrace agentic AI, organizations must balance detection performance against the escalating costs of token consumption, deployment architecture, and AI credits. (Danelle Au) When Information Becomes the Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) What the Latest ShinyHunters Breaches Reveal About Modern Cyberattacks Groups like ShinyHunters are demonstrating that attackers do not necessarily need malware or zero-day exploits to cause massive damage. (Torsten George) No Exploits Required Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures. (Tod Beardsley) After AI Reaches Production: 12 Ways Security Teams Can Take Control Security teams need more than visibility into AI applications, they need a repeatable framework for monitoring, investigating, and defending them in production. (Joshua Goldfarb) Flipboard Reddit Whatsapp Whatsapp Email