Cybersecurity researchers have uncovered a large-scale automated password spray campaign targeting Microsoft Azure Command-Line Interface (Azure CLI) accounts, with attackers successfully compromising dozens of Microsoft identities despite many organizations having security protections in place.
According to security firm Huntress, the campaign originated from an IPv6 address range (2a0a:d683::/32) operated by internet infrastructure provider LSHIY LLC (AS32167).
Between June 12 and June 26, 2026, attackers launched more than 81 million login attempts, ultimately compromising 78 Microsoft user accounts across 64 organizations.
Researchers noted that the attacks were not focused on any particular industry. Instead, the threat actors appeared to target accounts using commonly reused passwords found in previously leaked credential databases.
Attackers Exploited Legacy OAuth Authentication
What makes this campaign particularly concerning is that many of the affected organizations had Microsoft Conditional Access Policies (CAP) enabled.
Rather than attacking through traditional login methods, the attackers abused a deprecated OAuth authentication mechanism known as Resource Owner Password Credentials (ROPC) to bypass certain Conditional Access protections.
ROPC is a legacy OAuth 2.0 authentication flow in which users provide their username and password directly to an application. The application then exchanges those credentials for an access token without using the modern authentication process.
Because the authentication request bypasses portions of Microsoft’s authorization workflow, improperly configured Conditional Access policies may never be evaluated.
The OAuth flow was officially deprecated in OAuth 2.1.
Microsoft Has Long Warned Against ROPC
Microsoft has repeatedly advised organizations not to use the ROPC authentication flow because it is incompatible with modern security controls such as multi-factor authentication (MFA).
The company states that ROPC should only be used in rare situations where more secure authentication methods are not practical, as it requires users to directly share their passwords with applications and carries significant security risks.
Millions of Login Attempts Over Two Weeks
Huntress observed a steady stream of successful compromises throughout the campaign.
Between June 12 and June 21, attackers compromised an average of two to four user accounts per day, with 12 accounts breached on June 19.
The campaign intensified on June 22, when attackers successfully compromised 30 user identities across 23 organizations in a single day.
By the end of the operation, researchers had confirmed:
- More than 81 million login attempts
- 78 compromised Microsoft accounts
- 64 affected organizations
Most of the malicious login traffic originated from infrastructure operated by LSHIY LLC, although some IP addresses resolved to locations in both the United States and China.
Credential Spray Activity Has Increased Dramatically
Huntress said this campaign is part of a much larger wave of credential spray attacks targeting Microsoft environments.
The company reported a 155-fold increase in password spray activity across its customer base, with organizations now experiencing an average of nearly 2,000 failed login attempts per month per protected Microsoft tenant.
Researchers believe the attackers relied primarily on old username and password combinations leaked in previous data breaches that victims never changed.
How MFA Was Bypassed
Although many affected organizations had multi-factor authentication enabled, several common configuration mistakes allowed attackers to authenticate successfully using the ROPC flow.
Researchers identified several weaknesses, including:
- MFA being enforced only for selected cloud applications rather than All Cloud Apps, leaving Azure CLI logins unprotected.
- MFA policies applying only to privileged users such as administrators instead of every user account.
- MFA enforcement being triggered only for logins from untrusted locations, allowing some authentication attempts to proceed without additional verification.
Huntress also found that eight of the affected organizations had no MFA protection enabled at all.
The researchers emphasized that the incident does not demonstrate that MFA is ineffective. Instead, it highlights the importance of properly configuring Conditional Access policies to cover all authentication methods, including legacy protocols like ROPC.
How Organizations Can Protect Themselves
To reduce the risk of similar attacks, Huntress recommends that organizations:
- Require MFA for all users.
- Apply Conditional Access policies to All Cloud Apps.
- Enforce MFA across all client application types, including Azure CLI.
- Restrict Azure CLI access for non-administrative users whenever possible.
- Promptly investigate accounts that successfully authenticate using previously compromised credentials.
- Disable legacy authentication methods such as ROPC whenever feasible.
A Reminder That Legacy Authentication Still Poses Risks
According to Huntress, this campaign exposes how outdated authentication mechanisms can undermine otherwise strong security policies.
Even organizations using Conditional Access and MFA may remain vulnerable if legacy protocols like ROPC are still permitted or if policies are narrowly scoped.
As attackers continue automating credential-based attacks at massive scale, organizations should regularly review authentication settings, disable obsolete login methods, and ensure Conditional Access policies protect every authentication path—not just the most common ones.
