Full Report
Cybersecurity researchers have warned of a "massive, ongoing, automated password spray attack" aimed at Microsoft's Azure command-line interface (CLI), compromising dozens of accounts in the process. The activity, per Huntress, originates from an IPv6 address range (2a0a:d683::/32) controlled by internet infrastructure provider LSHIY LLC (AS32167). "Between June 12 and June 26, the threat
Analysis Summary
# Incident Report: Automated Azure CLI Password Spray Campaign
## Executive Summary
A massive, automated password spray attack targeted Microsoft Azure CLI users, resulting in over 81 million login attempts within a two-week period. The threat actor successfully compromised 78 accounts across 64 organizations by exploiting the deprecated Resource Owner Password Credentials (ROPC) OAuth flow. This technique allowed attackers to bypass poorly configured Conditional Access Policies (CAP) and multi-factor authentication (MFA) requirements.
## Incident Details
- **Discovery Date:** June 2026
- **Incident Date:** June 12 – June 26, 2026
- **Affected Organization:** 64 distinct organizations
- **Sector:** Cross-industry (targeting based on credential prevalence)
- **Geography:** Global; attack infrastructure located in U.S. and China
## Timeline of Events
### Initial Access
- **Date/Time:** Commenced June 12, 2026.
- **Vector:** Automated Password Spraying.
- **Details:** Attackers utilized the deprecated ROPC flow via Azure CLI to test leaked credentials from historical data breaches.
### Lateral Movement
- **Details:** The report highlights successful authentication; however, specific lateral movement within the compromised tenants was not detailed in the source article beyond the compromise of 78 distinct identities.
### Data Exfiltration/Impact
- **Details:** Unauthorized access to 78 Microsoft accounts. The scale of subsequent data theft or operational disruption depends on the specific permissions of the compromised identities.
### Detection & Response
- **How it was discovered:** Identified by Huntress researchers observing a 155x surge in credential spray activity across their protected tenant base.
- **Response actions taken:** Threat intelligence was released to warn organizations to audit Azure CLI usage and ROPC logs.
## Attack Methodology
- **Initial Access:** Password spraying using automated tools against Azure CLI.
- **Persistence:** Not specified, but generally achieved through the acquisition of valid OAuth tokens.
- **Privilege Escalation:** Not specified.
- **Defense Evasion:** Use of the ROPC flow (OAuth 2.0) which often bypasses legacy MFA configurations and does not trigger interactive prompts.
- **Credential Access:** Weaponization of previously breached username/password "combo lists."
- **Discovery:** Mapping organizations with weak Conditional Access Policies.
- **Lateral Movement:** Not detailed.
- **Collection:** Not detailed.
- **Exfiltration:** Not detailed.
- **Impact:** Unauthorized account access and potential cloud resource exploitation.
## Impact Assessment
- **Financial:** Unknown; potential for significant costs related to remediation and potential "cryptojacking" if cloud resources were accessed.
- **Data Breach:** Compromise of 78 identities across 64 organizations.
- **Operational:** Risk of unauthorized changes to cloud infrastructure and service disruption.
- **Reputational:** High risk for organizations found to have misconfigured security policies (8 organizations had no MFA at all).
## Indicators of Compromise
- **Network indicators:**
- `2a0a:d683::/32` (IPv6 range)
- AS32167 (LSHIY LLC)
- **Behavioral indicators:**
- Unusual volume of failed sign-in attempts for "Azure CLI" (App ID: `04b07795-8ddb-461a-bbee-02f9e1bf7b46`).
- Successive Logins from the ROPC grant type (Grant type `password`).
## Response Actions
- **Containment:** Organizations were advised to disable or restrict the Azure CLI application for non-administrative users.
- **Eradication:** Forced password resets for all accounts identified in the spray and revocation of active refresh tokens.
- **Recovery:** Auditing account activity for the period of compromise to ensure no backdoors were established.
## Lessons Learned
- **Key takeaways:** MFA is not a "silver bullet" if the authorization flow (like ROPC) is inherently insecure or bypassed.
- **Configuration Gaps:** Many organizations failed by only applying MFA to "Admins" or "Trusted Locations" rather than "All Cloud Apps" and "All Client Types."
## Recommendations
- **Enforce MFA for All:** Configure Conditional Access Policies to require MFA for "All Users" and "All Cloud Apps."
- **Disable ROPC:** Explicitly block the Resource Owner Password Credentials flow within Entra ID (Azure AD).
- **Client App Controls:** Within CAP, ensure "Mobile apps and desktop clients" are selected to cover non-interactive and CLI-based logins.
- **Credential Rotation:** Enforce mandatory password rotations for any account found in historical leak databases.