Search This Blog

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Showing posts with label password spray attack. Show all posts

Massive Azure CLI Password Spray Campaign Targets Microsoft 365, Over 81 Million Login Attempts Detected

 

Cybersecurity company Huntress has uncovered a large-scale password spray campaign targeting Microsoft 365 environments through the Azure CLI, resulting in millions of malicious login attempts and multiple account compromises.

According to the company, between June 12 and June 21, attackers carried out more than 81 million login attempts against customer environments. The campaign led to the compromise of 78 user accounts across 64 organizations.

During the two-week period, threat actors were found compromising between two and four accounts each day. However, activity surged around June 22, when 23 organizations were reportedly affected in a single spike.

Huntress' investigation revealed that the majority of the login attempts originated from Autonomous System (AS) 32167, which is associated with internet hosting provider LSHIY LLC.

“These attacks are part of a large wave of credential spray attacks across a few different ASNs. In the past six months, Huntress has observed the volume of credential spray attacks increase by over 155 times across our customer base,” the cybersecurity company says.

The company also observed a sharp increase in password spray attacks during late May and early June, impacting multiple organizations. Huntress believes the campaign primarily relied on previously compromised username-password combination lists.

As part of the attack, the threat actors exploited the OAuth Resource Owner Password Credentials (ROPC) authentication flow to validate user credentials. Although this authentication method has been deprecated in OAuth 2.1, it still allows attackers to obtain a new user-delegated access token when valid credentials are provided.

Because of this authentication flow, attackers were able to compromise accounts even when multi-factor authentication (MFA) was enabled, provided that MFA policies were not configured to protect the OAuth ROPC authentication process.

“ROPC is considered problematic for several reasons, but one of those reasons is that it doesn’t offer support for modern auth flows like MFA or SSO. That means, as we saw in this campaign, ROPC sends the password straight to the /token endpoint with no interactive MFA prompt,” Huntress explains.

Further analysis of the affected environments showed several weaknesses in MFA implementation. In some organizations, MFA was applied only to specific cloud applications or user groups. Others enforced MFA only for logins from untrusted locations, while some had deployed MFA policies that were never actively enforced.

“It’s worth noting that eight businesses impacted by the campaign had no MFA policy at all. While threat actors in this campaign were able to get in despite MFA being set up, the takeaway should not be that MFA doesn’t work at all; instead, organizations should ensure that their MFA policies are properly configured to address the authorization flow used across these incidents,” the cybersecurity firm notes.

Huntress also traced the attack traffic to IPv6 address ranges linked to LSHIY, an internet infrastructure provider registered in Hong Kong, Wuhan, China, and New York. Previous reports have also associated IPv6 ranges operated under AS32167 and AS955 with infrastructure originating from China.

The cybersecurity firm said it reported the malicious activity to LSHIY through the provider's abuse reporting mechanism but did not receive any response.

Over 81 Million Azure CLI Login Attempts Detected in Massive Password Spray Attack, 78 Microsoft Accounts Compromised

 

iCybersecurity researchers have uncovered a large-scale automated password spray campaign targeting Microsoft's Azure Command-Line Interface (CLI), resulting in the compromise of dozens of Microsoft accounts across multiple organizations.

According to cybersecurity firm Huntress, the attacks originated from the IPv6 address range 2a0a:d683::/32, which is operated by internet infrastructure provider LSHIY LLC (AS32167).

"Between June 12 and June 26, the threat actor behind it made more than 81 million login attempts and successfully compromised at least 78 Microsoft accounts across 64 organizations," Huntress said in a statement. "The targeting of these attacks seems to be based entirely on password prevalence on compromised password combo lists, and is not specific to business type or industry."

Researchers noted that the campaign stands out not only because of its scale but also because many of the affected organizations had Conditional Access Policies (CAPs) enabled. The attackers exploited the deprecated Resource Owner Password Credentials (ROPC) OAuth flow, allowing them to bypass certain Conditional Access protections.

ROPC is an outdated OAuth 2.0 authentication method in which users provide their usernames and passwords directly to a client application. The application then exchanges these credentials with an authorization server to obtain an access token. The authentication method was officially deprecated under OAuth 2.1 due to its security risks.

Microsoft has long advised organizations against using the ROPC authentication flow because it does not support multi-factor authentication (MFA).

"In most scenarios, more secure alternatives are available and recommended," Microsoft states. "This flow requires a very high degree of trust in the application, and carries risks that aren't present in other flows. You should only use this flow when more secure flows aren't viable."

Huntress found that successful credential and token spray attacks occurred consistently between June 12 and June 21, 2026, compromising roughly two to four accounts each day. On June 19, attackers breached 12 user accounts, while the campaign intensified significantly on June 22, affecting 30 identities across 23 organizations.

Overall, the attackers compromised 78 user accounts spanning 64 organizations. Most of the malicious login attempts originated from infrastructure associated with LSHIY LLC, with some IP addresses resolving to the United States and others to China.

"These attacks are part of a large wave of credential spray attacks across a few different ASNs," Huntress said, adding that it has witnessed the volume of credential spray attacks surge by over 155 times across its customer base. "Attacks surged in particular in late May through early June, with a current mean value of about 1,964 failed attacks per month per Huntress-protected tenant."

Investigators believe the attackers primarily relied on previously leaked username and password combinations that organizations had failed to change after earlier data breaches. By exploiting the ROPC authentication flow, threat actors successfully accessed enterprise accounts even when MFA had been deployed, provided the security policies were not configured to cover Azure CLI ROPC logins.

The campaign succeeded in environments where:

  • MFA was enforced only for selected cloud applications instead of all cloud apps, leaving Azure CLI logins unprotected.
  • MFA requirements applied only to specific user groups, such as administrators.
  • MFA was triggered only when login attempts originated from untrusted locations.

Huntress also revealed that eight affected organizations had not implemented any MFA policy.

"While threat actors in this campaign were able to get in despite MFA being set up, the takeaway should not be that MFA doesn't work at all; instead, organizations should ensure that their MFA policies are properly configured to address the authorization flow used across these incidents."

To reduce the risk of similar attacks, researchers recommend enforcing MFA for all users, all cloud applications, and all client application types when implementing Conditional Access Policies. Organizations should also restrict Azure CLI access for non-administrative users and prioritize incident response based on credential validity.

"This attack reveals cracks in CAPs that haven't been appropriately configured," Huntress researchers concluded. "There are still potential weaknesses in how CAPs are deployed that can allow threat actors to slip through. One glaring error here is that legacy protocols like ROPC can bypass some poorly-configured CAPs entirely since they don't go through the authorization endpoint where policies are enforced."