Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/CyberSecurity News/Automated Password Spray Attacks Target Microsoft Azure CLI
CyberSecurity News

Automated Password Spray Attacks Target Microsoft Azure CLI

Key Takeaways An extensive automated password spray campaign is targeting Microsoft Azure CLI and Entra ID accounts. The attackers exploit legacy OAuth Resource Owner Password Credentials (ROPC)...

Jennifer sherman
Jennifer sherman
July 1, 2026 4 Min Read
3 0

Key Takeaways

  • An extensive automated password spray campaign is targeting Microsoft Azure CLI and Entra ID accounts.
  • The attackers exploit legacy OAuth Resource Owner Password Credentials (ROPC) flows to bypass multi-factor authentication (MFA) protections.
  • Over 81 million login attempts were observed, compromising at least 78 accounts across 64 organizations within a two-week period.
  • The campaign leverages previously exposed credentials and originates primarily from IP ranges linked to LSHIY LLC, an internet infrastructure provider with suspected ties to China.
  • Organizations must reconfigure Conditional Access Policies (CAPs) to block ROPC and enforce MFA broadly across all users, applications, and client types.

A sophisticated, large-scale automated password spray campaign is actively exploiting Microsoft’s Azure Command-Line Interface (CLI) and outdated OAuth mechanisms to compromise Entra ID accounts. This ongoing threat circumvents multi-factor authentication (MFA) in many affected organizations, posing a significant risk to cloud environments.

Table Of Content

  • Key Takeaways
  • Campaign Scope and Impact
  • Attack Origins and Infrastructure
  • Exploiting Legacy OAuth Flows
  • What You Should Do

Cybersecurity firm Huntress has been monitoring this persistent password and token spraying activity, specifically targeting Microsoft 365 and Azure CLI logins. A notable surge in this campaign was observed between June 12 and June 26, 2026.

Campaign Scope and Impact

During this two-week period, the attackers initiated more than 81 million login attempts against Huntress’s customer tenants. This relentless assault resulted in the successful compromise of at least 78 Microsoft accounts spanning 64 distinct organizations.

Initially, the daily rate of compromises remained relatively low, typically affecting two to four accounts per day. However, this escalated sharply on June 22, when 30 user identities across 23 businesses were compromised, signaling a significant intensification of the campaign.

This attack is part of a broader trend of escalating credential spraying. Huntress reports a staggering 155-fold increase in credential spray volume across its customer base over the last six months. Currently, tenants experience an average of 1,964 failed attacks monthly, with a median of 804.

Target selection in this campaign appears opportunistic, driven by the availability of username-password combinations in existing breach data rather than specific industry verticals. This suggests attackers are leveraging previously compromised credentials that have not been rotated by users.

Daily Compromises (Source: HUNTRESS)

Attack Origins and Infrastructure

The majority of the observed attack traffic originates from the IPv6 address range 2a0a:d683::/32, which is advertised under autonomous system AS32167. This ASN is attributed to LSHIY LLC, an internet infrastructure provider. LSHIY operates at least two ASNs—AS32167, registered in June 2021, and AS955, registered in June 2022. Third-party telemetry consistently links their IPv6 prefixes to Chinese origin.

Corporate registration documents further connect LSHIY to factory addresses in Hong Kong and Wuhan, as well as a shared office space at 42 Broadway in New York. This complex setup likely serves to obfuscate the true operational ownership of the entity. Huntress has submitted abuse reports to LSHIY regarding the observed malicious activity but has not yet received a response.

Exploiting Legacy OAuth Flows

The threat actor’s methodology involves replaying old username-password pairs, previously exposed in data breaches but never updated, and validating them through the OAuth Resource Owner Password Credentials (ROPC) flow utilized by Azure CLI.

ROPC, a flow deprecated in OAuth 2.1, directly exchanges a raw username and password at the token endpoint to issue user-delegated access tokens without requiring an interactive authorization step. This is critical because Conditional Access Policies (CAPs) typically enforce MFA at the authorization endpoint. By bypassing this endpoint, ROPC can circumvent inadequately configured policies, allowing tokens to be issued without an MFA challenge.

Huntress found that many compromised tenants had MFA and CAPs deployed but suffered from critical configuration gaps. Common misconfigurations included scoping MFA to specific cloud applications instead of “All Cloud Apps,” restricting MFA enforcement solely to privileged groups like administrators, limiting MFA to non-trusted geographical locations, and leaving policies in a report-only mode, which logs events but does not enforce controls.

In several instances, geolocation inaccuracies erroneously identified attacking IPs as U.S. addresses. This allowed them to bypass “trusted location” logic, even when other telemetry clearly indicated their true origin in China.

Misconfiguration type Effect on attack Why it failed against Azure CLI
MFA only for specific apps Azure CLI sign-ins not covered CAP never evaluated Azure CLI as an enforced app.
MFA only for certain groups Non-admin identities unprotected Spray focused on users outside protected groups.
MFA only for non-trusted locations Geo-mislabeled IPs treated as trusted Inaccurate IP geolocation bypassed location conditions.
Report-only CAP policies No actual blocking or prompts Policies logged events but did not enforce controls.
Legacy ROPC left enabled MFA not invoked on token endpoint ROPC never hit the authorization endpoint where CAP runs.

What You Should Do

  • Block ROPC and Legacy Authentication: Treat Azure CLI and ROPC as high-risk surfaces. Disable legacy grants and authentication protocols within your tenant.
  • Enforce MFA Broadly: Configure Conditional Access Policies (CAPs) to require MFA for “All users,” “All cloud apps,” and “All client app types.” Do not scope MFA only to specific applications or privileged groups.
  • Strengthen Client-Level Authentication: Implement strong authentication at the client level using settings like userStrongAuthClientAuthNRequired to prevent ROPC-based token grants.
  • Restrict Azure CLI Access: Where feasible, restrict Azure CLI access to only those non-admin users who genuinely require it, or explicitly block it via dedicated CAP rules.
  • Refine Named Locations: Continuously review and tighten named locations within your CAPs to accurately reflect trusted network boundaries and prevent geolocation bypasses.
  • Test CAP Configurations: Regularly test the behavior of your CAPs using tools such as Microsoft’s “What If” simulator to identify any report-only or excluded policies that might leave gaps in your security posture.
  • Monitor for Anomalous Activity: Implement robust logging and monitoring for failed login attempts, unusual access patterns, and token issuance via ROPC flows.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Reduce Alert Fatigue to Improve SOC Efficiency and Cut Business Costs

Next Post

Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us