According to cybersecurity firm Huntress, the attacks originated from the IPv6 address range 2a0a:d683::/32, which is operated by internet infrastructure provider LSHIY LLC (AS32167).
"Between June 12 and June 26, the threat actor behind it made more than 81 million login attempts and successfully compromised at least 78 Microsoft accounts across 64 organizations," Huntress said in a statement. "The targeting of these attacks seems to be based entirely on password prevalence on compromised password combo lists, and is not specific to business type or industry."
Researchers noted that the campaign stands out not only because of its scale but also because many of the affected organizations had Conditional Access Policies (CAPs) enabled. The attackers exploited the deprecated Resource Owner Password Credentials (ROPC) OAuth flow, allowing them to bypass certain Conditional Access protections.
ROPC is an outdated OAuth 2.0 authentication method in which users provide their usernames and passwords directly to a client application. The application then exchanges these credentials with an authorization server to obtain an access token. The authentication method was officially deprecated under OAuth 2.1 due to its security risks.
Microsoft has long advised organizations against using the ROPC authentication flow because it does not support multi-factor authentication (MFA).
"In most scenarios, more secure alternatives are available and recommended," Microsoft states. "This flow requires a very high degree of trust in the application, and carries risks that aren't present in other flows. You should only use this flow when more secure flows aren't viable."
Huntress found that successful credential and token spray attacks occurred consistently between June 12 and June 21, 2026, compromising roughly two to four accounts each day. On June 19, attackers breached 12 user accounts, while the campaign intensified significantly on June 22, affecting 30 identities across 23 organizations.
Overall, the attackers compromised 78 user accounts spanning 64 organizations. Most of the malicious login attempts originated from infrastructure associated with LSHIY LLC, with some IP addresses resolving to the United States and others to China.
"These attacks are part of a large wave of credential spray attacks across a few different ASNs," Huntress said, adding that it has witnessed the volume of credential spray attacks surge by over 155 times across its customer base. "Attacks surged in particular in late May through early June, with a current mean value of about 1,964 failed attacks per month per Huntress-protected tenant."
Investigators believe the attackers primarily relied on previously leaked username and password combinations that organizations had failed to change after earlier data breaches. By exploiting the ROPC authentication flow, threat actors successfully accessed enterprise accounts even when MFA had been deployed, provided the security policies were not configured to cover Azure CLI ROPC logins.
The campaign succeeded in environments where:
- MFA was enforced only for selected cloud applications instead of all cloud apps, leaving Azure CLI logins unprotected.
- MFA requirements applied only to specific user groups, such as administrators.
- MFA was triggered only when login attempts originated from untrusted locations.
Huntress also revealed that eight affected organizations had not implemented any MFA policy.
"While threat actors in this campaign were able to get in despite MFA being set up, the takeaway should not be that MFA doesn't work at all; instead, organizations should ensure that their MFA policies are properly configured to address the authorization flow used across these incidents."
To reduce the risk of similar attacks, researchers recommend enforcing MFA for all users, all cloud applications, and all client application types when implementing Conditional Access Policies. Organizations should also restrict Azure CLI access for non-administrative users and prioritize incident response based on credential validity.
"This attack reveals cracks in CAPs that haven't been appropriately configured," Huntress researchers concluded. "There are still potential weaknesses in how CAPs are deployed that can allow threat actors to slip through. One glaring error here is that legacy protocols like ROPC can bypass some poorly-configured CAPs entirely since they don't go through the authorization endpoint where policies are enforced."