Massive Password Spray Campaign Targets Azure CLI

Related

Microsoft Warns Poisoned MCP Tool Descriptions Can Make AI Agents Leak Data

What happened Microsoft warned that attackers can hijack AI agents...

Microsoft Accelerates Quantum-Safe Roadmap as Risks Grow

What happened Microsoft announced that it is accelerating its quantum-safe...

Malicious Edge Extension Abuses Native Messaging to Deploy Python Backdoor

What happened A malicious Microsoft Edge extension dubbed Edgecution has...

Microsoft’s Record 206-CVE Patch Tuesday Signals a New Era of AI-Driven Vulnerability Discovery

What happened Microsoft’s June 2026 Patch Tuesday update included fixes...

Share

What happened

A massive password spray campaign is targeting Microsoft 365 environments through Azure CLI authentication.

Huntress warned that threat actors made more than 81 million login attempts against Microsoft customers between June 12 and June 21.

The campaign has already compromised 78 user accounts across 64 organizations. During the two-week window, attackers compromised two to four accounts per day, with a spike around June 22 when 23 businesses were compromised.

According to Huntress, most of the login attempts came from AS32167, an autonomous system associated with internet hosting provider LSHIY LLC.

Huntress said the attacks are part of a larger wave of credential spray activity across several autonomous systems. Over the past six months, the company has observed credential spray volume increase by more than 155 times across its customer base.

The campaign appears to rely on compromised password combo lists. Instead of using a single account and many passwords, password spraying typically tests a limited set of likely or previously exposed passwords across many accounts to avoid simple lockout thresholds.

In the Azure campaign, the attackers used the OAuth Resource Owner Password Credentials flow to validate credentials. This flow can mint a new user-delegated token when the correct username and password are supplied.

Huntress warned that attackers can still compromise accounts even when MFA exists if MFA policies do not cover the OAuth ROPC authentication flow.

The company found that some impacted organizations had MFA gaps. In some cases, MFA was not enforced for all cloud applications. In others, it was enforced only for certain user groups, required only for non-trusted locations, or implemented but not actually enforced.

Huntress also noted that eight impacted businesses had no MFA policy at all.

Huntress said it reported the malicious activity to LSHIY through the provider’s abuse reporting mechanism but did not receive a response.

Who is affected

Microsoft 365 organizations are affected if attackers can test user credentials through Azure CLI authentication and OAuth ROPC flows.

The campaign is especially relevant to organizations with weak passwords, reused passwords, exposed credentials in combo lists, incomplete MFA enforcement, or conditional access policies that do not cover all authentication flows and cloud applications.

Businesses using Microsoft 365 should also pay attention if they rely on MFA in name only. Huntress found that some compromised organizations had MFA policies that were too narrow, inconsistently applied, or not enforced.

Why CISOs should care

This campaign shows that MFA can fail operationally if it is not enforced across the authentication paths attackers actually use. The issue is not that MFA has no value. The issue is that attackers are targeting flows where MFA may not be triggered.

For CISOs, OAuth ROPC deserves particular attention because it does not support modern interactive authentication experiences such as MFA or SSO in the same way newer flows do. If organizations leave this path available without proper controls, attackers can validate credentials and obtain tokens with only a username and password.

The scale of the campaign is also important. Huntress observed more than 81 million login attempts in less than two weeks, suggesting broad, automated credential testing rather than isolated targeting.

The increase in credential spray volume across Huntress customers also reinforces the need to treat identity telemetry as a primary detection surface. Password spray activity can be the first visible sign of a broader account takeover campaign.

3 practical actions

  1. Audit MFA coverage across all authentication flows: Huntress found that accounts were compromised even where MFA existed because policies did not cover the relevant OAuth ROPC flow. CISOs should verify that MFA and conditional access apply across cloud applications, user groups, locations, and legacy or non-interactive authentication paths.
  2. Block or restrict OAuth ROPC where possible: The campaign used ROPC to validate credentials and mint tokens. Security teams should disable or tightly restrict ROPC and other legacy authentication flows that bypass modern interactive MFA and SSO controls.
  3. Hunt for password spray activity in identity logs: The campaign involved more than 81 million login attempts and originated largely from infrastructure tied to LSHIY. Defenders should monitor failed login bursts, unusual Azure CLI sign-ins, repeated attempts across many accounts, successful logins after spray activity, and authentication attempts from suspicious ASNs.
IMG 0514 2
+ posts

John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.