2026-07-02 – 81 Million Login Attempts: Automated Azure CLI Password Spray Bypasses MFA

81 Million Login Attempts: Automated Azure CLI Password Spray Bypasses MFA

Executive Summary

Cybersecurity researchers have sounded the alarm on an exceptionally aggressive, automated password-spraying campaign targeting Microsoft 365 environments. Between June 12 and June 26, threat actors launched more than 81 million login attempts against enterprise tenants, successfully compromising at least 78 user accounts across 64 organizations. Strikingly, the attackers targeted Microsoft’s Azure Command-Line Interface (CLI) and successfully bypassed Multi-Factor Authentication (MFA) protections by exploiting legacy configurations within the Resource Owner Password Credentials (ROPC) OAuth flow.

Deep-Dive Technical Analysis

Password spraying is a brute-force technique where an attacker tests a small list of common passwords against a massive list of usernames, avoiding account lockouts triggered by traditional brute-forcing.

The mechanics of this massive campaign reveal sophisticated, automated tradecraft:

* Targeting the Azure CLI: The threat actors attempted to authenticate specifically via Microsoft’s Azure CLI. Azure CLI is a popular tool for cloud management, making it an incredibly high-value gateway for attackers.

* Abusing ROPC OAuth Flows: To bypass modern authentication protections, the attackers exploited the Resource Owner Password Credentials (ROPC) grant flow. ROPC allows an application to sign in the user by directly handling their username and password. Crucially, ROPC does not natively support interactive Multi-Factor Authentication (MFA).

* Exploiting Conditional Access Gaps: Many organizations implement Conditional Access (CA) policies to enforce MFA but fail to properly block legacy or non-interactive protocols like ROPC. By spraying credentials through ROPC against the Azure CLI, the attackers bypassed interactive MFA prompts, gaining direct programmatic access to compromised accounts.

* Autonomous Infrastructure Routing: Researchers tracked the vast majority of the 81 million attempts back to IPv6 address ranges controlled by the internet infrastructure hosting provider LSHIY LLC (AS32167), indicating a highly coordinated, distributed proxy network designed to evade geolocation and IP-reputation blocks.

Industry Impact and Recommendations

This campaign demonstrates the extreme vulnerability of legacy authentication protocols. A single compromised Azure account grants threat actors an administrative foothold to deploy ransomware, intercept internal communications, exfiltrate sensitive cloud storage, or create unauthorized administrative accounts for long-term persistence.

We advise all cloud administrators and CISOs to enforce the following defensive measures immediately:

1. Disable Legacy and ROPC Authentication: Block the use of Resource Owner Password Credentials (ROPC) flows entirely within your Microsoft Entra ID (Azure AD) settings. There is rarely a legitimate business case for ROPC in modern, secure cloud environments.

2. Review Conditional Access (CA) Policies: Ensure CA policies are configured to block all legacy authentication protocols. Implement strict policies requiring Modern Authentication with interactive, phishing-resistant MFA (such as FIDO2 or Microsoft Authenticator) for all Azure CLI connections.

3. Audit Azure Sign-in Logs: Scan your Microsoft Entra ID sign-in logs specifically for successful or failed login attempts originating from unknown IP ranges (especially AS32167/LSHIY LLC) using the Azure CLI application ID.

4. Implement Geofencing and IP Whitelisting: Restrict administrative CLI and API access to pre-authorized corporate IP addresses or secure VPN gateways to block distributed global spray attacks.

References

* The Hacker News

* Huntress Security Blog