Massive Password Spray Attack Targets Microsoft 365 Users

A large-scale automated password spray campaign is actively exploiting Microsoft’s Azure Command-Line Interface (CLI) and legacy OAuth flows to compromise Entra ID accounts, even in organizations with multi-factor authentication (MFA) in place.

Between June 12 and June 26, 2026, this campaign attempted over 81 million logins against Microsoft 365 and Azure CLI accounts, successfully compromising at least 78 accounts across 64 organizations. Daily compromises initially ranged from two to four accounts but surged to 30 user identities across 23 businesses on June 22, indicating a significant escalation.

Credential spray volume has increased dramatically, with a 155-fold rise over the past six months. Currently, there is an average of about 1,964 failed attacks per tenant per month, with a median of 804. The attackers appear to be opportunistically exploiting previously breached, unrotated credentials, rather than targeting specific industries.

The majority of attack traffic originates from the IPv6 address range 2a0a:d683::/32, associated with internet infrastructure provider LSHIY LLC. This company operates under autonomous systems AS32167 and AS955, with records linking it to addresses in Hong Kong, Wuhan, and a shared office space in New York. Despite abuse reports being submitted, no response has been received from LSHIY.

The attackers are leveraging old username-password pairs exposed in prior breaches and validating them via the OAuth Resource Owner Password Credentials (ROPC) flow used by Azure CLI. ROPC, deprecated in OAuth 2.1, allows for the exchange of raw credentials directly at the token endpoint, issuing user-delegated access tokens without an interactive authorization step. This method can bypass poorly configured Conditional Access Policies (CAPs), resulting in successful token issuance without an MFA challenge.

Many affected tenants had MFA and CAPs deployed but with critical configuration gaps. Common issues included scoping MFA to specific cloud apps instead of all cloud apps, enforcing MFA only for privileged groups, restricting MFA to non-trusted locations, and leaving policies in report-only mode. Additionally, geolocation inconsistencies misidentified attacking IPs as U.S.-based, allowing them to bypass trusted location logic, even though other telemetry placed them in China.

This incident underscores the importance of regularly updating and rotating credentials, as well as ensuring that MFA and CAPs are comprehensively configured to cover all potential attack vectors. Organizations should review their security policies to close any gaps that could be exploited by such sophisticated attacks.