PROBABLYPWNED
Threat IntelligenceJuly 2, 20264 min read

81M Login Attempts: Massive Azure CLI Password Spray Campaign

Attackers exploited deprecated OAuth ROPC flow to bypass MFA, compromising 78 accounts across 64 organizations. Attack originated from Hong Kong and China infrastructure.

Alex Kowalski

A coordinated password spray campaign targeting Microsoft Azure CLI authentication compromised 78 user accounts across 64 organizations over a ten-day window in June, with attackers leveraging a deprecated OAuth flow to sidestep multi-factor authentication entirely.

SecurityWeek reports that researchers observed over 81 million authentication attempts between June 12-21, part of a broader 155x increase in credential spray attacks over the past six months. The campaign exploited a fundamental weakness in how legacy OAuth authentication handles MFA enforcement.

The ROPC Problem

The attack succeeded because Azure CLI supports OAuth 2.0's Resource Owner Password Credentials (ROPC) flow—a deprecated authentication method that sends passwords directly to token endpoints without interactive MFA prompts.

ROPC exists for backwards compatibility with legacy applications that can't handle modern authentication flows. But that compatibility comes at a cost: it creates an authentication path that bypasses the MFA protections organizations believe are protecting their accounts.

When attackers send valid credentials via ROPC, they receive tokens without ever hitting an MFA challenge. The user's MFA settings exist. The policy says MFA is required. But the legacy flow provides a workaround that threat actors are now exploiting at industrial scale.

This isn't the first time deprecated authentication methods have undermined modern security controls. Similar bypass techniques have affected enterprise VPN infrastructure where legacy protocols remained enabled alongside newer protections.

Attack Infrastructure

Researchers traced the campaign to infrastructure associated with LSHIY LLC, with connections to autonomous systems in Hong Kong, Wuhan, China, and New York. The threat actors used IPv6 address ranges across multiple autonomous systems, rotating through infrastructure to avoid rate limiting and detection.

Abuse reports sent to the hosting providers went unanswered.

The attack pattern showed consistent daily activity: 2-4 accounts compromised per day on average, with a spike of 23 organizations affected on June 22 alone. The steady pace suggests automated tooling with throttling designed to stay below detection thresholds while maintaining persistent pressure.

MFA Isn't Enough If Coverage Is Incomplete

Analysis of the compromised organizations revealed a common thread: incomplete MFA coverage. Eight organizations lacked MFA entirely. Others enforced it selectively—by user group, application, or network location—leaving gaps that ROPC authentication slipped through.

The lesson here extends beyond Azure CLI. Any legacy authentication flow that predates modern MFA integration represents potential bypass opportunity. Organizations assuming their MFA policies provide complete protection may be overlooking the authentication paths that don't honor those policies.

Microsoft has been moving to deprecate ROPC and similar legacy flows for years. OAuth 2.1 removes support for ROPC entirely. But enterprise environments often retain legacy flows for compatibility reasons, creating exactly the gaps this campaign exploited.

Remediation Steps

Organizations should take several immediate actions:

  1. Audit OAuth flow usage - Identify which applications and service principals authenticate via ROPC or other legacy methods
  2. Extend MFA to all flows - Configure Conditional Access policies to require MFA for legacy authentication explicitly, not just interactive sign-ins
  3. Block legacy authentication - Where possible, disable ROPC and other deprecated flows at the tenant level
  4. Monitor for spray patterns - Watch for distributed authentication failures that indicate credential testing
  5. Review Azure CLI usage - Understand which users and automation rely on CLI authentication and whether ROPC is involved

The Microsoft Security Blog provides guidance on configuring Conditional Access to address legacy authentication gaps. Organizations using Azure should review their authentication policies against Microsoft's security baseline recommendations.

Why This Matters

Password spray attacks aren't new. But the scale and sophistication of this campaign—81 million attempts in 10 days, with infrastructure specifically targeting deprecated authentication flows—signals an escalation in how threat actors approach cloud identity compromise.

MFA has become the default recommendation for account security. This attack demonstrates that MFA's value depends entirely on enforcement coverage. A policy that covers interactive logins but ignores ROPC flows isn't protecting against attackers who know to use ROPC. The 155x increase in spray attacks suggests criminals are finding and exploiting these gaps systematically.

The fix requires treating legacy compatibility as a security risk, not just a convenience tradeoff. Every deprecated authentication path that remains enabled for backwards compatibility is also enabled for adversaries who read the same documentation administrators do.

Related Articles