Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Massive Azure CLI Password Spray Campaign Uncovered

Massive Azure CLI Password Spray Campaign Uncovered

Posted on July 1, 2026 By CWS

In a significant cybersecurity alert, Huntress, a cybersecurity firm, has identified a major password spray campaign targeting the Azure Command-Line Interface (CLI) within Microsoft 365 environments. This extensive operation has brought to light the vulnerabilities inherent in cloud-based systems when under siege by sophisticated threat actors.

Scope and Impact of the Campaign

Between June 12 and June 21, Huntress recorded an alarming number of over 81 million login attempts directed at its clientele. This surge in activity led to the compromise of 78 user accounts across 64 different organizations. The most intense period of this campaign occurred around June 22, when the attackers successfully infiltrated 23 businesses in a single day.

Most login attempts were traced back to AS32167, an autonomous system belonging to the internet hosting provider LSHIY LLC. This campaign is part of a broader trend, with Huntress noting a 155-fold increase in credential spray attacks over the past six months across its customer base.

Technical Aspects of the Attack

The attackers employed the OAuth Resource Owner Password Credentials (ROPC) flow, a deprecated method in OAuth 2.1, to validate credentials. This approach enables the generation of a new user token upon correct credential input, bypassing Multi-Factor Authentication (MFA) if it is not integrated into the ROPC flow.

Huntress found weaknesses in the MFA configurations of compromised accounts. Some organizations had MFA policies that were not enforced universally, applied only to specific user groups, or implemented for certain geographic locations. Notably, eight affected businesses had no MFA policies in place, highlighting the importance of robust MFA configurations.

Response and Recommendations

The attacks originated from an IPv6 address range tied to LSHIY, with locations in Hong Kong, Wuhan, China, and New York. Despite Huntress reporting the activity to LSHIY, there has been no response from the provider.

Huntress advises organizations to reassess their MFA strategies, ensuring comprehensive coverage that includes the ROPC authentication flow. While MFA remains a crucial defense mechanism, it must be properly configured to be effective against sophisticated credential attacks.

This incident underscores the importance of staying vigilant and proactive in updating security measures to protect against evolving cyber threats. Organizations are urged to enhance their security protocols, particularly around cloud services and authentication processes, to mitigate future risks.

Security Week News Tags:AS32167, autonomous system, Azure CLI, cloud security, credential attacks, cyber attack, cyber threats, Cybersecurity, Huntress, LSHIY LLC, MFA, MFA vulnerabilities, Microsoft 365, OAuth ROPC, password spray

Post navigation

Previous Post: AI-Hallucinated Domains Exploited in Phishing Scams
Next Post: API-Driven Malware Delivery Exposed by Researcher

Related Posts

AI Sidebar Spoofing Puts ChatGPT Atlas, Perplexity Comet and Other Browsers at Risk AI Sidebar Spoofing Puts ChatGPT Atlas, Perplexity Comet and Other Browsers at Risk Security Week News
Runlayer Emerges From Stealth Mode With  Million in Funding Runlayer Emerges From Stealth Mode With $11 Million in Funding Security Week News
Russian Cyberspies Target Foreign Embassies in Moscow via AitM Attacks: Microsoft Russian Cyberspies Target Foreign Embassies in Moscow via AitM Attacks: Microsoft Security Week News
Cylake Secures M Funding for On-Premises Cybersecurity Cylake Secures $45M Funding for On-Premises Cybersecurity Security Week News
Myanmar Military Shuts Down Major Cybercrime Center and Detains Over 2,000 People Myanmar Military Shuts Down Major Cybercrime Center and Detains Over 2,000 People Security Week News
Romanian Extradited to US Over Decade-Old Cybercrime Romanian Extradited to US Over Decade-Old Cybercrime Security Week News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Key Questions Enterprises Must Ask About Frontier AI Security
  • Automaker Boosts SOC Triage with Enhanced Tactics
  • Apple Releases Critical Security Updates for iOS and macOS
  • API-Driven Malware Delivery Exposed by Researcher
  • Massive Azure CLI Password Spray Campaign Uncovered

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Key Questions Enterprises Must Ask About Frontier AI Security
  • Automaker Boosts SOC Triage with Enhanced Tactics
  • Apple Releases Critical Security Updates for iOS and macOS
  • API-Driven Malware Delivery Exposed by Researcher
  • Massive Azure CLI Password Spray Campaign Uncovered

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark