Published on July 1, 2026
Azure CLI Password Spray Hits at Least 78 Microsoft Accounts in 81M+ Attempts
Severity
Medium
Detail
Cybersecurity researchers have uncovered a large-scale automated password spraying campaign targeting Microsoft’s Azure Command-Line Interface (CLI). According to Huntress, the attackers made more than 81 million login attempts between June 12 and June 26, 2026, successfully compromising 78 Microsoft accounts across 64 organizations.
The campaign is particularly concerning because it abused a deprecated OAuth authentication flow to bypass improperly configured Conditional Access Policies (CAP), allowing attackers to authenticate even in environments with multi-factor authentication (MFA) enabled.
How?
The attackers launched a high-volume password spraying campaign using previously breached username and password combinations that had not been changed. The activity primarily originated from an IPv6 address range associated with LSHIY LLC and targeted organizations across multiple industries without discrimination.
Rather than using standard authentication methods, the threat actors exploited the deprecated Resource Owner Password Credentials (ROPC) OAuth flow, which allows applications to exchange usernames and passwords directly for access tokens. Because ROPC bypasses the normal authorization process, poorly configured Conditional Access Policies failed to enforce MFA for Azure CLI logins.
As a result, organizations that limited MFA enforcement to specific applications, user groups, or trusted locations remained vulnerable. The researchers observed successful account compromises throughout the campaign, with attack activity significantly increasing after June 22 and ultimately affecting 64 organizations.
Conclusion
This campaign highlights how legacy authentication methods and misconfigured Conditional Access Policies can undermine otherwise effective security controls. While MFA remains a critical defense, organizations must ensure it is consistently enforced across all users, cloud applications, and client application types, including Azure CLI authentication.
To reduce the risk of similar attacks, organizations should disable legacy authentication methods such as ROPC where possible, require MFA for all users and cloud applications, restrict Azure CLI access to authorized administrators, rotate previously exposed credentials, and continuously monitor for password spraying activity and abnormal authentication attempts.
Source
https://thehackernews.com/2026/07/azure-cli-password-spray-hits-at-least.html
