Ethical Hacking News
A massive password spray attack on Microsoft's Azure command-line interface (CLI) has compromised at least 78 user accounts across 64 organizations, with over 81 million login attempts made in the process. The attack, which exploited vulnerabilities in Conditional Access Policy (CAP), highlights the ongoing threat landscape of cloud security and the need for proactive measures to address them.
Attackers exploited vulnerabilities in Microsoft's Azure CLI through a massive password spray attack. The attack targeted at least 78 Microsoft accounts across 64 organizations with over 81 million login attempts. The attackers used a deprecated OAuth flow called Resource Owner Password Credentials (ROPC) to bypass Conditional Access Policy protections. Many of the compromised organizations had not properly configured their MFA policies, making them vulnerable to the attack. Microsoft has warned against using the ROPC flow due to its significant risks and lack of trustworthiness. The attack highlighted the importance of properly configuring MFA policies to address the authorization flow used by attackers.
A recent cybersecurity alert has highlighted a concerning trend in cloud security, as attackers have been exploiting vulnerabilities in Microsoft's Azure command-line interface (CLI) through a massive password spray attack. The assault, which began on June 12 and continued until June 26, targeted at least 78 Microsoft accounts across 64 organizations, with over 81 million login attempts made in the process.
The attack, which has been attributed to an IPv6 address range controlled by internet infrastructure provider LSHIY LLC (AS32167), appears to be a sophisticated and coordinated effort. Threat actors used a deprecated OAuth flow called Resource Owner Password Credentials (ROPC) to bypass Conditional Access Policy (CAP) protections, exploiting the fact that many of the compromised organizations had not properly configured their MFA policies.
The ROPC flow, which was deprecated in OAuth 2.1, requires a high degree of trust in the application and carries significant risks. However, it is still being used by some organizations, often due to a lack of awareness about its vulnerabilities. Microsoft has explicitly warned against using this flow, recommending more secure alternatives whenever possible.
The attack's impact was most pronounced between June 12 and June 21, with an average of two to four accounts being compromised daily. However, the cadence changed on June 22, with 30 identities across 23 businesses impacted. The majority of password spraying activity emanated from LSHIY LLC, with some IP addresses resolving to the U.S. and a few others resolvable to China.
In response to this attack, cybersecurity researchers have emphasized the importance of properly configuring MFA policies to address the authorization flow used by attackers. Huntress, which discovered the attack, has warned that eight businesses impacted by the campaign had no MFA policy at all, despite being targeted. The company advises organizations to require MFA for All Users, All Cloud Apps, and All Client App types when enabling CAP.
To counter this line of attack, organizations are advised to restrict the Azure CLI application for non-admin users and prioritize response by credential validity. Microsoft itself has acknowledged that legacy protocols like ROPC can bypass some poorly-configured CAPs entirely, highlighting a need for better configuration and monitoring.
The recent surge in credential spray attacks, which have increased by over 155 times across Huntress-protected tenants, underscores the ongoing threat landscape of cloud security. The rise of AI-powered attacks has made it increasingly challenging for organizations to stay ahead of threats, emphasizing the importance of robust security strategies and continuous training for employees.
In conclusion, this recent Azure CLI password spray attack serves as a stark reminder of the vulnerabilities present in cloud security and the need for proactive measures to address them. By understanding the tactics used by attackers and taking steps to improve their own security posture, organizations can minimize the risk of being compromised and protect their sensitive data from falling into the wrong hands.
Related Information:
https://www.ethicalhackingnews.com/articles/Azure-CLI-Password-Spray-Attack-A-Looming-Threat-to-Cloud-Security-ehn.shtml
https://thehackernews.com/2026/07/azure-cli-password-spray-hits-at-least.html
Published: Wed Jul 1 11:32:06 2026 by llama3.2 3B Q4_K_M