Cybersecurity researchers have uncovered a massive password spray campaign targeting Microsoft’s Azure Command-Line Interface (Azure CLI). According to Huntress, the attackers carried out more than 81 million login attempts between June 12 and June 26. The campaign successfully compromised at least 78 Microsoft user accounts across 64 different organizations. Researchers believe the attack is still active and organizations should remain on high alert.

microsoft-azure-logo-cloud-login-security

The attack mainly originated from an IPv6 address range linked to internet infrastructure provider LSHIY LLC. Investigators said the attackers were not focusing on any particular industry or business sector. Instead, they targeted accounts that were using passwords commonly found in previously leaked credential databases. This made organizations with weak or reused passwords especially vulnerable.

What makes this campaign more concerning is that many affected organizations already had Conditional Access policies enabled. The attackers managed to bypass these protections by abusing an old OAuth authentication method known as Resource Owner Password Credentials (ROPC). Since this legacy authentication flow does not always trigger Conditional Access checks, it created an opportunity for attackers to gain unauthorized access.

azure-api-security-access-token-authentication

ROPC allows users to send their username and password directly to an application, which then requests an access token from the authorization server. This authentication method has been deprecated in OAuth 2.1 because it carries significant security risks. Microsoft has also advised customers to avoid using ROPC whenever possible, as it does not work well with modern security features like multi-factor authentication.

Researchers observed that successful account compromises occurred almost every day during the attack period. Most days saw between two and four compromised accounts, but activity increased sharply on June 22. On that single day, attackers successfully accessed 30 identities belonging to 23 different organizations, showing a sudden rise in the effectiveness of the campaign.

password-spray-attack-leaked-credentials-cybersecurity

Huntress also reported that password spray activity across its customer base has increased by more than 155 times in recent months. The attackers appear to be relying on old username and password combinations that were exposed in previous data breaches but never changed by users. Because many organizations had incomplete or improperly configured security policies, these older credentials continued to provide attackers with a way inside.

The investigation found several common security gaps that helped the attackers succeed. Some organizations applied multi-factor authentication only to administrators or selected applications instead of all cloud services. Others only required MFA for logins from unfamiliar locations, while eight of the affected organizations had no MFA protection enabled at all. These configuration weaknesses allowed the attack to bypass existing defenses.

microsoft-azure-cloud-security-platform-password-spray-attack

To reduce the risk of similar attacks, researchers recommend enforcing multi-factor authentication for all users, all cloud applications, and every client application type. Organizations should also limit Azure CLI access for users who do not require it and regularly review Conditional Access policies to ensure they cover legacy authentication methods. The researchers concluded that properly configured security controls remain one of the most effective ways to stop password spray attacks before they succeed.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news