Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Azure CLI Targeted by Extensive Password Spray Attack

Azure CLI Targeted by Extensive Password Spray Attack

Posted on July 1, 2026 By CWS

Cybersecurity experts have identified a large-scale automated password spray attack targeting Microsoft’s Azure command-line interface (CLI), compromising multiple accounts in the process.

Originating from an IPv6 address range (2a0a:d683::/32) associated with internet provider LSHIY LLC (AS32167), the campaign was detected between June 12 and June 26. According to Huntress, the attackers executed over 81 million login attempts, successfully breaching 78 Microsoft accounts within 64 organizations.

Details of the Attack

The attack’s significant scale is underscored by its ability to bypass Conditional Access policies through the use of the deprecated Resource Owner Password Credentials (ROPC) OAuth flow. Despite CAP protections being in place, the attackers targeted password prevalence on compromised lists rather than specific industries or businesses.

The ROPC flow, part of OAuth 2.0, allows a user to directly provide credentials to an application, which then exchanges them for an access token. This method is incompatible with multi-factor authentication (MFA) and was deprecated in OAuth 2.1 due to security vulnerabilities.

Impact and Response

During the attack, credential and token spray methods resulted in a daily compromise of several accounts, spiking on June 19 with 12 breaches, and reaching 30 on June 22. The assault predominantly originated from LSHIY LLC’s infrastructure, with IP addresses resolving to the U.S. and China.

Huntress observed a significant increase in credential spray attacks, noting a 155-fold surge across its customers. The attack exploited unrotated old username/password combinations and bypassed MFA setups due to inadequate configurations.

Preventive Measures

Organizations are advised to enforce MFA for all users, applications, and client types when enabling CAP. It is crucial to restrict Azure CLI applications for non-administrative users and prioritize responses based on credential validity.

Huntress researchers highlighted the need for proper CAP configuration to prevent such breaches. Misconfigured CAPs allow legacy protocols like ROPC to evade authorization flow checks, presenting vulnerabilities that threat actors can exploit.

Ultimately, this incident underscores the importance of robust security practices and the need for organizations to adapt their defenses against evolving cyber threats.

The Hacker News Tags:attack mitigation, Azure CLI, cloud security, Conditional Access Policy, credential spray, cyber threats, Cybersecurity, Huntress, LSHIY LLC, MFA, Microsoft, password spray, ROPC

Post navigation

Previous Post: Chrome 151 Update Addresses 382 Security Flaws
Next Post: Google Fixes 382 Chrome Security Flaws

Related Posts

Cloud Servers Hijacked for Covert Email Relay Network Cloud Servers Hijacked for Covert Email Relay Network The Hacker News
NFC Fraud, Curly COMrades, N-able Exploits, Docker Backdoors & More NFC Fraud, Curly COMrades, N-able Exploits, Docker Backdoors & More The Hacker News
Google Fixes Antigravity IDE Vulnerability Allowing Code Execution Google Fixes Antigravity IDE Vulnerability Allowing Code Execution The Hacker News
Researchers Find Way to Shut Down Cryptominer Campaigns Using Bad Shares and XMRogue Researchers Find Way to Shut Down Cryptominer Campaigns Using Bad Shares and XMRogue The Hacker News
Password Reuse in Disguise: An Often-Missed Risky Workaround Password Reuse in Disguise: An Often-Missed Risky Workaround The Hacker News
New PathWiper Data Wiper Malware Disrupts Ukrainian Critical Infrastructure in 2025 Attack New PathWiper Data Wiper Malware Disrupts Ukrainian Critical Infrastructure in 2025 Attack The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Anthropic Resumes Claude Fable 5 After Export Ban Lifted
  • Google Fixes 382 Chrome Security Flaws
  • Azure CLI Targeted by Extensive Password Spray Attack
  • Chrome 151 Update Addresses 382 Security Flaws
  • Citrix Releases Patches for NetScaler Vulnerabilities

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Anthropic Resumes Claude Fable 5 After Export Ban Lifted
  • Google Fixes 382 Chrome Security Flaws
  • Azure CLI Targeted by Extensive Password Spray Attack
  • Chrome 151 Update Addresses 382 Security Flaws
  • Citrix Releases Patches for NetScaler Vulnerabilities

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark