Password Spray Attack Compromises 78 Azure Accounts in 81 Million Attempts via Deprecated ROPC Flow
Updated
Updated · The Hacker News · Jul 1
Password Spray Attack Compromises 78 Azure Accounts in 81 Million Attempts via Deprecated ROPC Flow
1 articles · Updated · The Hacker News · Jul 1
Summary
Huntress said attackers compromised at least 78 Microsoft accounts across 64 organizations after more than 81 million Azure CLI login attempts between June 12 and June 26.
The campaign used the deprecated Resource Owner Password Credentials OAuth flow to bypass Conditional Access protections, exploiting old breached username-password pairs that had never been rotated.
June 22 marked the sharpest spike, with 30 identities hit across 23 businesses; from June 12 to 21, successful logins averaged two to four accounts a day, except for 12 on June 19.
Many victims had MFA or Conditional Access enabled, but policies often excluded Azure CLI ROPC logins by limiting enforcement to certain apps, user groups or locations; eight affected businesses had no MFA at all.
Most traffic came from an IPv6 range tied to LSHIY LLC, and Huntress said credential-spray volume across its customer base has surged more than 155-fold, underscoring broader weaknesses in legacy-auth and CAP configurations.
Between June 12 and June 26, 2026, a major password spray attack targeted Microsoft’s Azure Command-Line Interface (CLI). Attackers tried to access many accounts by using a small set of common passwords, aiming to find valid credentials without triggering account lockouts. The attack originated from a specific IPv6 address range linked to LSHIY, an internet infrastructure provider with global registrations in places like Hong Kong, Wuhan, and New York. This coordinated effort highlights how attackers use global infrastructure and password spray techniques to exploit cloud services, making detection and defense more challenging for organizations.