CyberSecurityBoardThreat Intel · CVEs · Products
Cyber News

Massive Azure CLI Password Spray Attack Compromises 78 Microsoft Accounts Across 64 Organizations

July 1, 2026

Cybersecurity researchers at Huntress have uncovered a massive, ongoing automated password spray attack targeting Microsoft’s Azure command-line interface (CLI). The campaign, active between June 12 and June 26, 2026, involved over 81 million login attempts and successfully compromised at least 78 Microsoft accounts across 64 organizations.

The attacks originate from an IPv6 address range (2a0a:d683::/32) controlled by internet infrastructure provider LSHIY LLC (AS32167). The threat actor leveraged a deprecated OAuth flow called Resource Owner Password Credentials (ROPC) to bypass Conditional Access Policy (CAP) protections. ROPC, deprecated in OAuth 2.1, allows direct username and password submission, bypassing multi-factor authentication (MFA) when not properly configured.

Huntress reported that the attacks averaged two to four compromised accounts daily between June 12 and 21, with a spike on June 19 (12 accounts) and June 22 (30 accounts). The targeting appears based on password prevalence on compromised combo lists, not specific industries. Notably, eight impacted organizations had no MFA policy at all.

The campaign exploited scenarios where MFA was enforced only for specific apps or user groups, or non-trusted locations, failing to cover Azure CLI logins. Huntress observed a 155-fold surge in credential spray attacks across its customer base, with a mean of 1,964 failed attacks per month per protected tenant.

To mitigate such attacks, organizations should require MFA for All Users, All Cloud Apps, and All Client App types when enabling CAP, restrict the Azure CLI application for non-admin users, and prioritize response by credential validity. The incident highlights that legacy protocols like ROPC can bypass poorly configured CAPs entirely.

CVEs: CVE-2026-20245

Companies: Huntress, Microsoft, LSHIY LLC

Products: Azure CLI