Cybersecurity researchers have identified a significant automated password spray attack targeting Microsoft’s Azure Command-Line Interface (CLI). This campaign has resulted in the compromise of 78 Microsoft accounts across 64 organizations.
The attack, which occurred between June 12 and June 26, 2026, involved over 81 million login attempts. The malicious activity originated from an IPv6 address range (2a0a:d683::/32) associated with internet infrastructure provider LSHIY LLC (AS32167). The attackers utilized previously breached username and password combinations that had not been updated, indicating a reliance on common credentials found in compromised lists.
Notably, many affected organizations had Conditional Access Policies (CAPs) in place. However, the attackers exploited a deprecated OAuth 2.0 flow known as Resource Owner Password Credentials (ROPC) to bypass these protections. ROPC allows users to provide their credentials directly to a client application, which then exchanges them for an access token. This method is incompatible with multi-factor authentication (MFA) and has been deprecated in OAuth 2.1 due to security concerns.
Microsoft advises against using the ROPC flow, emphasizing that it requires a high degree of trust in the application and carries inherent risks. Despite this, the attackers leveraged ROPC to circumvent CAPs, particularly in scenarios where MFA was not enforced for all applications, user groups, or locations. For instance, some organizations enforced MFA only for specific apps or user groups, leaving Azure CLI logins unprotected.
Between June 12 and 21, the attackers achieved a few successful logins daily, compromising two to four accounts each day. On June 19, this number spiked to 12 accounts. The attack intensified on June 22, with 30 identities across 23 businesses being compromised in a single day. Overall, 78 user accounts were breached across 64 organizations during the campaign.
The majority of the password spraying activity was traced back to LSHIY LLC, with IP addresses resolving to locations in the U.S. and China. This attack is part of a broader wave of credential spray attacks observed across various Autonomous System Numbers (ASNs), with a reported 155-fold increase in such attacks among certain customer bases. The surge was particularly notable from late May through early June, with an average of approximately 1,964 failed attacks per month per protected tenant.
To mitigate such attacks, organizations are advised to:
- Enforce MFA for all users, applications, and client app types when implementing CAPs.
- Restrict Azure CLI access for non-administrative users.
- Regularly update and rotate credentials, especially those known to have been compromised.
This incident underscores the importance of properly configuring security policies and staying vigilant against evolving attack vectors. Organizations must ensure that their MFA policies are comprehensive and account for all potential authorization flows to effectively thwart such sophisticated attacks.