Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Massive Password Spray Campaign Targeting Azure CLI

0
Medium
Vulnerability
Published: 07/01/2026 (07/01/2026, 07:46:33 UTC)
Source: SecurityWeek

Description

Hackers were seen making over 81 million login attempts originating from systems associated with hosting provider LSHIY. The post Massive Password Spray Campaign Targeting Azure CLI appeared first on SecurityWeek .

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/01/2026, 07:51:32 UTC

Technical Analysis

Between June 12 and 21, 2026, threat actors conducted a massive password spray attack targeting Microsoft 365 environments via the Azure CLI, making over 81 million login attempts. The attackers leveraged the deprecated OAuth ROPC authentication flow, which does not support modern authentication mechanisms like MFA or SSO, allowing credential validation without interactive MFA prompts. This enabled compromises even in accounts with MFA enabled but not enforced for ROPC. The campaign resulted in 78 compromised accounts across 64 organizations, with daily compromises and a spike on June 22. The attacks originated primarily from AS32167, linked to hosting provider LSHIY. Huntress observed a 155-fold increase in credential spray attacks over six months and noted that some impacted organizations had no MFA policies at all. The vendor has been notified but has not responded.

Potential Impact

The campaign led to the compromise of multiple user accounts in Microsoft 365 environments, enabling unauthorized access to cloud resources. The use of the OAuth ROPC flow bypassed MFA protections in many cases, increasing the risk of account takeover. Organizations with weak or improperly configured MFA policies were particularly vulnerable. The large volume of login attempts indicates a broad and persistent attack effort. No direct evidence of exploitation beyond account compromise is provided.

Mitigation Recommendations

No official patch is applicable as this is an attack campaign exploiting authentication flows and configuration weaknesses. Organizations should review and strengthen their MFA policies to ensure coverage of all authentication flows, including OAuth ROPC. Disabling or restricting the use of the deprecated OAuth ROPC flow is recommended. Enforce MFA consistently across all user groups and cloud applications, and avoid conditional MFA policies that exclude certain locations or users. Monitor for unusual login activity and implement strong password policies to reduce the risk of credential compromise.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Article Source
{"url":"https://www.securityweek.com/massive-password-spray-campaign-targeting-azure-cli/","fetched":true,"fetchedAt":"2026-07-01T07:51:23.719Z","wordCount":1162}

Threat ID: 6a44c6fb27e9c797192b95b1

Added to database: 07/01/2026, 07:51:23 UTC

Last enriched: 07/01/2026, 07:51:32 UTC

Last updated: 07/01/2026, 23:37:39 UTC

Views: 21

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses