TL;DR
- what: A massive automated password spray against Microsoft Azure CLI made 81M+ login attempts between June 12-26, 2026, compromising 78 accounts across 64 organizations.
- impact: Attackers used the deprecated ROPC OAuth flow to bypass Conditional Access and MFA that was enabled but not enforced for all apps, users, and client types.
- fix: Require MFA for All Users, All Cloud Apps, and All Client App types in Conditional Access, restrict Azure CLI for non-admin users, and rotate any previously breached credentials.
- who: Any Microsoft/Entra ID tenant with gaps in its Conditional Access scope, weak MFA enforcement, or unrotated credentials from past breaches.
Between June 12 and June 26, 2026, a single threat actor threw more than 81 million login attempts at Microsoft's Azure command-line interface and walked away with at least 78 compromised accounts across 64 organizations. The campaign, tracked by Huntress, is still ongoing and stands out for one uncomfortable reason: many victim organizations had Conditional Access policies turned on and still got breached.
The activity originates from an IPv6 range (2a0a:d683::/32) belonging to infrastructure provider LSHIY LLC (AS32167). Some addresses resolve to the U.S., a few to China. Targeting was indiscriminate, driven entirely by password prevalence on breached combo lists rather than industry or business type. If your credentials were in an old dump and never rotated, you were a target.
How ROPC breaks Conditional Access
The technical core of this campaign is the Resource Owner Password Credentials (ROPC) flow, a legacy OAuth 2.0 grant type deprecated in OAuth 2.1. In ROPC, a user hands their username and password directly to a client application, which exchanges them for an access token. Critically, ROPC does not route through the authorization endpoint where Conditional Access policies are evaluated. That means a poorly scoped CAP can be bypassed entirely.
Microsoft explicitly recommends against ROPC, noting it is incompatible with MFA and 'requires a very high degree of trust in the application.' Attackers know this, and they weaponized Azure CLI logins because MFA frequently was not enforced or configured to cover that authorization flow.
⚠️ MFA enabled is not MFA enforced — Eight of the impacted businesses had no MFA at all. The rest had MFA but with gaps: enforced only for specific apps rather than All Cloud Apps, only for admin groups, or only from untrusted locations. ROPC drove straight through every one of those holes.
The attack cadence
From June 12 to 21, the operation was quiet and steady, compromising two to four accounts per day, with a spike of 12 identities on June 19. Then it escalated. On June 22, 30 identities across 23 businesses fell in a single day. The slow-burn phase likely reflects credential validation and tooling refinement before the operator opened the throttle.
Part of a much larger wave
This is not an isolated event. Huntress reports credential spray volume has surged over 155 times across its customer base, with attacks spiking from late May through early June and a current mean of roughly 1,964 failed attacks per month per protected tenant. The campaign specifically weaponizes old breached username/password pairs that were never rotated, spread across several ASNs.
What security teams should do now
- Configure Conditional Access to require MFA for All Users, All Cloud Apps, and All Client App types, closing the app-specific and group-specific gaps that ROPC exploits.
- Restrict the Azure CLI application for non-admin users who have no operational need for it.
- Block or disable legacy authentication and ROPC flows wherever possible, since they bypass the authorization endpoint where policy is enforced.
- Rotate credentials that may appear in past breach dumps, and treat any long-unrotated password as compromised.
- Prioritize incident response by credential validity, and hunt for logins from the LSHIY LLC range 2a0a:d683::/32.
The takeaway
The lesson here is not that MFA fails. It is that MFA and Conditional Access only work when their scope matches every authentication path an attacker can reach. Legacy protocols like ROPC are the seam. A policy that covers 'most' apps or 'most' users is a policy an automated sprayer will find and walk around. Audit your CAP coverage against the actual authorization flows in your tenant, and assume any credential that has ever leaked is being tried right now.
Originally published on RedEye Threat Intelligence.
Top comments (0)