A large-scale password spray campaign targeted Microsoft 365 environments through Azure CLI logins, generating more than 81 million authentication attempts and compromising at least 78 accounts across 64 organizations, according to Huntress. The attackers abused the deprecated OAuth Resource Owner Password Credentials (ROPC) flow to validate stolen username-password pairs and obtain user-delegated tokens, relying on previously breached credentials that had not been rotated.
The activity was observed between mid and late June and in some cases succeeded even where MFA and Conditional Access were enabled, because policies were misconfigured or did not fully cover Azure CLI ROPC authentication. Huntress said most attempts originated from the IPv6 range 2a0a:d683::/32, associated with LSHIY LLC (AS32167), and reported a more than 155-fold increase in credential-spray volume across its customer base over six months. Defenders were urged to enforce MFA for all users, cloud apps, and client app types, and to restrict Azure CLI access for non-admin users.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
Huntress reported the observed login activity to hosting provider LSHIY LLC, which was linked to most of the attack traffic via AS32167. According to the report, Huntress received no response.
Huntress said the campaign activity continued through June 26, 2026. Across that broader window, most observed activity came from the IPv6 range 2a0a:d683::/32 associated with LSHIY LLC (AS32167).
On 2026-06-22, the Azure CLI password spray campaign surged, compromising 30 user accounts across 23 businesses in a single day. Huntress said 15 of those organizations believed Conditional Access policies enforcing MFA would protect them, highlighting policy gaps around the ROPC flow.
During the observed campaign window, attackers made more than 81 million login attempts against Microsoft 365 environments through Azure CLI and compromised at least 78 Microsoft accounts across 64 organizations. The campaign succeeded in some environments with MFA and Conditional Access enabled because policies were misconfigured or did not fully cover the ROPC flow.
Huntress observed the start of a large-scale automated password spray campaign targeting Microsoft Azure CLI logins and abusing the deprecated OAuth Resource Owner Password Credentials (ROPC) flow. The activity relied on previously breached username/password combinations to validate credentials and obtain user-delegated tokens.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
10 references tracked. Mallory keeps watching after this page renders.
cysecurity.news
Open sourcescworld.com
Open sourcescworld.com
Open sourcecybersecuritynews.com
Open sourcethehackernews.com
Open sourcebleepingcomputer.com
Open sourcelinuxsecurity.com
Open sourcehuntress.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.