- A massive, automated password spray attack originating from LSHIY LLC made over 81 million login attempts against Microsoft’s Azure CLI between June 12 and 26, 2026.
- The campaign successfully compromised at least 78 Microsoft accounts across 64 organizations by exploiting a deprecated OAuth flow to bypass Conditional Access policies.
- Many impacted organizations had Multi-Factor Authentication (MFA), but it was not enforced for the specific authorization flow or client application used by the attackers.
- The attack specifically weaponized old, breached username/password combinations that had never been rotated by the users.
- Cybersecurity firm Huntress reported witnessing credential spray attacks surge by over 155 times across its customer base.
Cybersecurity researchers have uncovered a massive, automated campaign compromising dozens of Microsoft accounts by exploiting a legacy security flaw. This ongoing password spray attack, detected by Huntress, targeted Microsoft’s Azure command-line interface (CLI) from June 12 to June 26, 2026.
Originating from an IPv6 address range controlled by LSHIY LLC, the threat actor made more than 81 million login attempts during that period. Consequently, they successfully compromised at least 78 user accounts spread across 64 different organizations.
However, the attack’s scale is not its only notable feature. The campaign leveraged a deprecated OAuth flow called Resource Owner Password Credentials (ROPC) to bypass Conditional Access Policy protections.
Microsoft explicitly recommends against using ROPC, arguing it’s incompatible with multi-factor authentication. “In most scenarios, more secure alternatives are available and recommended,” the company says in its documentation.
The credential spray resulted in a handful of successful logins daily, averaging two to four compromised accounts. Meanwhile, the activity surged on June 22, impacting 30 identities across 23 businesses in a single day.
These attacks specifically weaponized old username and password combinations from prior breaches. The use of the ROPC vector allowed attackers to target enterprises where MFA was not enforced for Azure CLI logins.
Common misconfigurations included enforcing MFA only for specific apps or user groups, like Admins. Additionally, eight impacted businesses had no MFA policy at all.
Huntress researchers concluded the attack reveals cracks in poorly configured Conditional Access Policies. “One glaring error here is that legacy protocols like ROPC can bypass some poorly-configured CAPs entirely,” they stated.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
