2026-07-02 – Massive Password Spraying Campaign Targets Microsoft 365 Tenants via Azure CLI

Privacy Notice: Massive Password Spraying Campaign Targets Microsoft 365 Tenants via Azure CLI

Executive Summary

A massive credential-targeting campaign has hit Microsoft 365 enterprise tenants globally. Over a two-week period, unknown threat actors launched more than 81 million login attempts against Microsoft 365. This coordinated activity leveraged a password spraying strategy targeting user accounts through the Azure Command Line Interface (CLI) and the Resource Owner Password Credentials (ROPC) OAuth flow. By utilizing lists of previously breached credentials, the campaign demonstrates how bulk brute-forcing continues to be a major attack vector for enterprise environments. Administrators are strongly advised to enforce multi-factor authentication (MFA) and audit sign-in logs for Azure CLI connection attempts.

Technical Deep-Dive and Incident Details

On July 1, 2026, security analysts disclosed details regarding a massive password spraying campaign targeting Microsoft 365 systems. Credential spraying is an attack vector where a list of common or leaked passwords is systematically tested against a large list of usernames (as opposed to brute-forcing multiple passwords against a single user, which triggers fast account lockouts).

In this specific campaign, the threat actors demonstrated high automation and scale:

* The Scale: Over 81 million authentication attempts were detected over the course of two weeks.

* The Protocol Abuse: The threat actors bypassed standard web-based browser logins by targeting the Azure CLI and utilizing the Resource Owner Password Credentials (ROPC) OAuth flow. ROPC allows an application to sign in a user by directly handling their username and password, which lacks the advanced telemetry, geolocation checks, and browser-based risk detections of modern OAuth logins.

* IP Rotation: Attackers rotated source IPs extensively through distributed VPNs and proxy services to hide the bulk nature of the spray.

Despite the volume, the techniques used are not considered novel. Rather, the campaign stands out due to its sheer scale, utilizing automated credential-stuffing engines paired with massive lists of leaked credentials to find matching entry points.

Industry Impact and Security Risks

A successful breach of an enterprise Microsoft 365 credential provides a direct doorway into corporate cloud networks. Because Azure CLI provides full command-line management over Azure directories and resources, attackers who successfully authenticate can:

1. Initiate Business Email Compromise (BEC): Hijack executive mailboxes to intercept or divert invoices and financial wires.

2. Launch Internal Phishing: Send trusted phishing emails to other employees, propagating the threat throughout the organization.

3. Pivoting to Global Admin: Enumerate tenant configurations, look for exposed API keys, and elevate privileges to take control of Azure subscriptions.

4. Exfiltrate Corporate Data: Harvest sensitive data from OneDrive, SharePoint, and Teams.

Recommendations and Mitigations for Administrators

To mitigate the risk of high-volume password spraying and Azure CLI ROPC abuse, enterprise administrators should deploy the following security postures:

1. Enforce Strong Multi-Factor Authentication (MFA): Ensure phishing-resistant MFA is strictly required across all enterprise accounts. Single-factor logins are highly vulnerable to password spraying.

2. Block Legacy and ROPC Authentication: Turn off legacy protocols and disable the ROPC grant flow. Modern authentication flows (like Authorization Code flow) should always be used instead.

3. Monitor Microsoft Entra ID Sign-In Logs: Create automated detection alerts in Microsoft Entra ID to identify unusual volumes of Azure CLI sign-in requests, especially those utilizing the ROPC flow, coming from non-corporate networks, or flagged as “impossible travel” logins.

4. Enforce Conditional Access: Require that CLI and administrative sign-ins only be permitted from compliant devices or trusted, corporate-managed IP ranges.