HackMyIP
← Back to News
2026-07-01 The Hacker News

Azure CLI Password Spray Compromises 78 Microsoft Accounts in 81M+ Attempts

Cloud SecurityAuthenticationThreat Intel

Cybersecurity researchers at Huntress have uncovered a massive, ongoing automated password spray campaign targeting Microsoft's Azure command-line interface (CLI), generating more than 81 million login attempts between June 12 and June 26, 2026, and successfully compromising at least 78 Microsoft accounts across 64 organizations. The activity originates from an IPv6 address range (2a0a:d683::/32) controlled by internet infrastructure provider LSHIY LLC (AS32167), with associated IPs resolving to locations in both the United States and China. Researchers noted that targeting appears indiscriminate, driven entirely by password prevalence on compromised credential combo lists rather than any specific industry or business type. Organizations concerned about credential exposure can verify whether their credentials appear in known breach databases using an email breach checker and audit password strength with a password checker.

What makes this campaign particularly alarming is its ability to circumvent Conditional Access Policy (CAP) protections through a deprecated OAuth 2.0 grant type known as Resource Owner Password Credentials (ROPC). This legacy flow allows a user to submit their username and password directly to a client application, which exchanges them for an access token at the authorization server. Microsoft formally deprecated ROPC in OAuth 2.1 and explicitly warns against its use, noting its incompatibility with multi-factor authentication (MFA). Huntress confirmed that many of the compromised organizations had Conditional Access policies in place, yet the attackers still succeeded, demonstrating a critical gap in modern cloud defense postures. Security teams investigating suspicious authentication paths can examine their own configurations with a WHOIS lookup on flagged IP ranges to trace infrastructure ownership.

The credential and token spray attacks produced a steady cadence of successful logins throughout mid-June, averaging two to four compromised accounts per day, with an anomalous spike on June 19 (12 identities) and a major escalation on June 22, when 30 identities across 23 businesses were impacted. Huntress reported that the volume of credential spray attacks across its customer base surged by over 155 times in late May through early June, now averaging roughly 1,964 failed attacks per month per protected tenant. The threat actor is weaponizing old username and password combinations harvested from prior breaches that were never rotated by end users, making credential hygiene the single most effective defensive measure.

Defenders are urged to disable ROPC entirely, enforce phishing-resistant MFA such as FIDO2 or Windows Hello for Business, and audit service principals for legacy authentication paths. The campaign underscores that Conditional Access policies alone are insufficient when deprecated OAuth flows remain enabled, and that even organizations with mature cloud security postures remain exposed if individual users maintain recycled credentials. Huntress continues to monitor the LSHIY LLC infrastructure and warns that credential spray activity is likely to intensify as attackers refine their abuse of legacy authentication mechanisms.

Source: The Hacker News →

Related Tools

Check whether this kind of story affects you — free, no signup:

Password Checker →Email Breach Check →

Related Guides

Learn the background behind this story:

Password security basics →Two-factor authentication explained →How to create a strong password →