Massive Password Spray Campaign Targeting Azure CLI
Hackers were seen making over 81 million login attempts originating from systems associated with hosting provider LSHIY. The post Massive Password Spray Campaign Targeting Azure CLI appeared first on SecurityWeek .
AI Analysis
Technical Summary
Between June 12 and 21, 2026, threat actors conducted a massive password spray attack targeting Microsoft 365 environments via the Azure CLI, making over 81 million login attempts. The attackers leveraged the deprecated OAuth ROPC authentication flow, which does not support modern authentication mechanisms like MFA or SSO, allowing credential validation without interactive MFA prompts. This enabled compromises even in accounts with MFA enabled but not enforced for ROPC. The campaign resulted in 78 compromised accounts across 64 organizations, with daily compromises and a spike on June 22. The attacks originated primarily from AS32167, linked to hosting provider LSHIY. Huntress observed a 155-fold increase in credential spray attacks over six months and noted that some impacted organizations had no MFA policies at all. The vendor has been notified but has not responded.
Potential Impact
The campaign led to the compromise of multiple user accounts in Microsoft 365 environments, enabling unauthorized access to cloud resources. The use of the OAuth ROPC flow bypassed MFA protections in many cases, increasing the risk of account takeover. Organizations with weak or improperly configured MFA policies were particularly vulnerable. The large volume of login attempts indicates a broad and persistent attack effort. No direct evidence of exploitation beyond account compromise is provided.
Mitigation Recommendations
No official patch is applicable as this is an attack campaign exploiting authentication flows and configuration weaknesses. Organizations should review and strengthen their MFA policies to ensure coverage of all authentication flows, including OAuth ROPC. Disabling or restricting the use of the deprecated OAuth ROPC flow is recommended. Enforce MFA consistently across all user groups and cloud applications, and avoid conditional MFA policies that exclude certain locations or users. Monitor for unusual login activity and implement strong password policies to reduce the risk of credential compromise.
Massive Password Spray Campaign Targeting Azure CLI
Description
Hackers were seen making over 81 million login attempts originating from systems associated with hosting provider LSHIY. The post Massive Password Spray Campaign Targeting Azure CLI appeared first on SecurityWeek .
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Between June 12 and 21, 2026, threat actors conducted a massive password spray attack targeting Microsoft 365 environments via the Azure CLI, making over 81 million login attempts. The attackers leveraged the deprecated OAuth ROPC authentication flow, which does not support modern authentication mechanisms like MFA or SSO, allowing credential validation without interactive MFA prompts. This enabled compromises even in accounts with MFA enabled but not enforced for ROPC. The campaign resulted in 78 compromised accounts across 64 organizations, with daily compromises and a spike on June 22. The attacks originated primarily from AS32167, linked to hosting provider LSHIY. Huntress observed a 155-fold increase in credential spray attacks over six months and noted that some impacted organizations had no MFA policies at all. The vendor has been notified but has not responded.
Potential Impact
The campaign led to the compromise of multiple user accounts in Microsoft 365 environments, enabling unauthorized access to cloud resources. The use of the OAuth ROPC flow bypassed MFA protections in many cases, increasing the risk of account takeover. Organizations with weak or improperly configured MFA policies were particularly vulnerable. The large volume of login attempts indicates a broad and persistent attack effort. No direct evidence of exploitation beyond account compromise is provided.
Mitigation Recommendations
No official patch is applicable as this is an attack campaign exploiting authentication flows and configuration weaknesses. Organizations should review and strengthen their MFA policies to ensure coverage of all authentication flows, including OAuth ROPC. Disabling or restricting the use of the deprecated OAuth ROPC flow is recommended. Enforce MFA consistently across all user groups and cloud applications, and avoid conditional MFA policies that exclude certain locations or users. Monitor for unusual login activity and implement strong password policies to reduce the risk of credential compromise.
Technical Details
- Article Source
- {"url":"https://www.securityweek.com/massive-password-spray-campaign-targeting-azure-cli/","fetched":true,"fetchedAt":"2026-07-01T07:51:23.719Z","wordCount":1162}
Threat ID: 6a44c6fb27e9c797192b95b1
Added to database: 07/01/2026, 07:51:23 UTC
Last enriched: 07/01/2026, 07:51:32 UTC
Last updated: 07/01/2026, 23:37:39 UTC
Views: 21
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.