A massive password-spraying campaign has been targeting Microsoft 365 accounts, generating over 81 million login attempts over a two-week period. The threat actor used valid username and password combinations exposed in past breaches to attempt authentication via Microsoft’s Azure command-line interface (CLI). Once authenticated, the hacker exploited a vulnerability in Conditional Access policies, bypassing multi-factor authentication (MFA) in many environments.
The campaign was observed by managed cybersecurity company Huntress, which confirmed that 78 Microsoft accounts across 64 organizations were compromised. Huntress attributes the success of the attack to insecure Conditional Access policies, specifically misconfigurations such as applying MFA only to specific applications or user groups. In some cases, there was no MFA policy at all.
Microsoft’s Azure CLI is used for managing Azure cloud resources, enabling administrators to manage virtual machines, deploy applications, and automate cloud operations. However, the ROPC (Resource Owner Password Credentials) OAuth mechanism, which allows authentication via username and password combinations, is problematic because it doesn’t support modern auth flows like MFA or Single Sign-On (SSO). This means that even if MFA is implemented, an attacker can still bypass it by sending the password directly to the /token endpoint.
Huntress notes a significant increase in password-spraying attacks, with organizations averaging 1,964 failed login attempts per tenant each month. The researchers attribute this surge to the growing popularity of cloud-based services and the increasing difficulty of securing them. It’s unclear who is behind the latest campaign, but Huntress has identified an IPv6 range owned by LSHIY LLC (AS32167) as the origin of the activity.
The findings highlight the importance of regularly reviewing and updating Conditional Access policies to ensure that MFA is applied universally across all cloud apps and user groups. Organizations should also test their security controls regularly, including their SIEM and EDR rules, to prevent similar attacks from slipping through detection.
Source: Bleeping Computer — 2026-07-01