Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

Azure CLI Targeted in LSHIY's Opportunistic Password Spray Campaign Across 64 Orgs



Azure CLI, a popular management tool for Microsoft Azure services, has been targeted by attackers in an opportunistic password spray campaign that affected 64 organizations. The attackers made over 81 million login attempts and successfully compromised 78 accounts, highlighting the importance of robust MFA configurations and regular security updates. Read more to learn how this campaign unfolded and what can be done to prevent similar attacks.

  • Azure CLI environments were targeted in a password spray campaign, affecting 64 organizations.
  • The attackers made over 81 million login attempts and compromised 78 accounts between June 12-22, 2026.
  • The attackers used outdated OAuth ROPC flow to bypass some poorly-configured Conditional Access Policies (CAPs).
  • Many organizations had MFA enabled but not configured correctly, allowing the attackers to bypass MFA during the campaign.
  • The attackers' IP addresses were inconsistently geolocated, making it difficult to track them.
  • The volume of credential spray attacks is increasing, with a current mean of 1,964 failed attempts per month per protected tenant.
  • The fix involves enabling strong authentication at the client level and restricting Azure CLI access for non-admin users.



  • Azure CLI, a popular management tool for Microsoft Azure services, has been targeted by attackers in an opportunistic password spray campaign that affected 64 organizations. According to research from Huntress, the attackers made over 81 million login attempts against Microsoft Azure CLI environments and successfully compromised 78 accounts between June 12, 2026, and June 22, 2026.

    The attackers used a combination of old username and password combinations from breach data and replayed them via the OAuth ROPC (Resource Owner Password Credentials) flow, which is an OAuth 2.0 grant type that has been deprecated in OAuth 2.1. This flow takes a username/password at the /token endpoint for a tenant and mints a new user-delegated token once provided with the correct credentials.

    The attackers took advantage of the fact that many organizations had implemented multi-factor authentication (MFA) via Conditional Access Policy (CAP), but the MFA was not configured to cover this specific flow. This meant that even when MFA was enabled, it did not fire for various reasons during the campaign. For example, some organizations had MFA scoped to specific apps like Microsoft Admin Portals rather than all cloud apps. Others enforced MFA only for admin accounts, not regular users.

    The attackers' IP addresses were inconsistently geolocated between China and Nebraska depending on the tool, which slipped through the trusted location check in several cases. Two organizations had no MFA policy at all, making them vulnerable to the attack.

    The volume of this type of attack is not new but it's growing fast. In the past six months, Huntress has seen credential spray attacks increase by over 155 times across its customer base, with a current mean of roughly 1,964 failed attempts per month per protected tenant. The targeting appears purely opportunistic, driven by which credentials appear most frequently in compromised password lists rather than by business sector or size.

    The fix is not complicated but requires precision. Conditional Access Policies need to cover all users, all cloud apps, and all client app types without exceptions. Enabling the userStrongAuthClientAuthNRequired setting enforces strong authentication at the client level and blocks ROPC flows outright. Restricting Azure CLI access for non-admin users removes another attack surface. And on the detection side, Huntress notes that triggering response based on spray volume alone points defenders at the most-sprayed and least-compromised tenants; prioritizing by credential validity is more effective.

    The attackers' method is straightforward and effective, making it a concerning trend in the cybersecurity landscape. The fact that legacy protocols like ROPC can bypass some poorly-configured CAPs entirely since they don’t go through the authorization endpoint where policies are enforced only adds to the complexity of the issue.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Azure-CLI-Targeted-in-LSHIYs-Opportunistic-Password-Spray-Campaign-Across-64-Orgs-ehn.shtml

  • https://securityaffairs.com/194588/uncategorized/azure-cli-targeted-in-lshiy-password-spray-campaign-across-64-orgs.html


  • Published: Wed Jul 1 14:46:15 2026 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us