81M Login Attempts: Massive Azure CLI Password Spray Campaign
Attackers exploited deprecated OAuth ROPC flow to bypass MFA, compromising 78 accounts across 64 organizations. Attack originated from Hong Kong and China infrastructure.
A coordinated password spray campaign targeting Microsoft Azure CLI authentication compromised 78 user accounts across 64 organizations over a ten-day window in June, with attackers leveraging a deprecated OAuth flow to sidestep multi-factor authentication entirely.
SecurityWeek reports that researchers observed over 81 million authentication attempts between June 12-21, part of a broader 155x increase in credential spray attacks over the past six months. The campaign exploited a fundamental weakness in how legacy OAuth authentication handles MFA enforcement.
The ROPC Problem
The attack succeeded because Azure CLI supports OAuth 2.0's Resource Owner Password Credentials (ROPC) flow—a deprecated authentication method that sends passwords directly to token endpoints without interactive MFA prompts.
ROPC exists for backwards compatibility with legacy applications that can't handle modern authentication flows. But that compatibility comes at a cost: it creates an authentication path that bypasses the MFA protections organizations believe are protecting their accounts.
When attackers send valid credentials via ROPC, they receive tokens without ever hitting an MFA challenge. The user's MFA settings exist. The policy says MFA is required. But the legacy flow provides a workaround that threat actors are now exploiting at industrial scale.
This isn't the first time deprecated authentication methods have undermined modern security controls. Similar bypass techniques have affected enterprise VPN infrastructure where legacy protocols remained enabled alongside newer protections.
Attack Infrastructure
Researchers traced the campaign to infrastructure associated with LSHIY LLC, with connections to autonomous systems in Hong Kong, Wuhan, China, and New York. The threat actors used IPv6 address ranges across multiple autonomous systems, rotating through infrastructure to avoid rate limiting and detection.
Abuse reports sent to the hosting providers went unanswered.
The attack pattern showed consistent daily activity: 2-4 accounts compromised per day on average, with a spike of 23 organizations affected on June 22 alone. The steady pace suggests automated tooling with throttling designed to stay below detection thresholds while maintaining persistent pressure.
MFA Isn't Enough If Coverage Is Incomplete
Analysis of the compromised organizations revealed a common thread: incomplete MFA coverage. Eight organizations lacked MFA entirely. Others enforced it selectively—by user group, application, or network location—leaving gaps that ROPC authentication slipped through.
The lesson here extends beyond Azure CLI. Any legacy authentication flow that predates modern MFA integration represents potential bypass opportunity. Organizations assuming their MFA policies provide complete protection may be overlooking the authentication paths that don't honor those policies.
Microsoft has been moving to deprecate ROPC and similar legacy flows for years. OAuth 2.1 removes support for ROPC entirely. But enterprise environments often retain legacy flows for compatibility reasons, creating exactly the gaps this campaign exploited.
Remediation Steps
Organizations should take several immediate actions:
- Audit OAuth flow usage - Identify which applications and service principals authenticate via ROPC or other legacy methods
- Extend MFA to all flows - Configure Conditional Access policies to require MFA for legacy authentication explicitly, not just interactive sign-ins
- Block legacy authentication - Where possible, disable ROPC and other deprecated flows at the tenant level
- Monitor for spray patterns - Watch for distributed authentication failures that indicate credential testing
- Review Azure CLI usage - Understand which users and automation rely on CLI authentication and whether ROPC is involved
The Microsoft Security Blog provides guidance on configuring Conditional Access to address legacy authentication gaps. Organizations using Azure should review their authentication policies against Microsoft's security baseline recommendations.
Why This Matters
Password spray attacks aren't new. But the scale and sophistication of this campaign—81 million attempts in 10 days, with infrastructure specifically targeting deprecated authentication flows—signals an escalation in how threat actors approach cloud identity compromise.
MFA has become the default recommendation for account security. This attack demonstrates that MFA's value depends entirely on enforcement coverage. A policy that covers interactive logins but ignores ROPC flows isn't protecting against attackers who know to use ROPC. The 155x increase in spray attacks suggests criminals are finding and exploiting these gaps systematically.
The fix requires treating legacy compatibility as a security risk, not just a convenience tradeoff. Every deprecated authentication path that remains enabled for backwards compatibility is also enabled for adversaries who read the same documentation administrators do.
Related Articles
FBI Warns Kali365 PhaaS Steals Microsoft 365 Tokens at Scale
New phishing-as-a-service platform bypasses MFA via OAuth device code flow. FBI PSA details how Kali365's AI-generated lures and $250/month pricing are enabling widespread credential theft.
May 24, 2026Device Code Phishing Surges 40% — Hundreds Compromised Daily
AI-enabled device code phishing campaigns hit hundreds of Microsoft 365 accounts daily since mid-March. Criminal toolkits proliferate as attacks bypass MFA at scale.
May 17, 2026ConsentFix v3 Automates OAuth Phishing Against Azure Tenants
New ConsentFix v3 attack automates Microsoft Azure OAuth credential theft using Pipedream webhooks and Cloudflare phishing pages. Pre-trusted apps bypass MFA entirely.
May 3, 2026Device Code Phishing Hits 340+ Microsoft 365 Orgs in 5 Countries
EvilTokens phishing platform targets Microsoft 365 identities across US, Canada, Australia, New Zealand, and Germany. OAuth abuse bypasses MFA to steal access tokens.
Mar 26, 2026