A recent large-scale cyber attack has been identified, targeting Microsoft 365 users through an automated password spray campaign. This attack exploits vulnerabilities in Microsoft’s Azure Command-Line Interface (CLI) and legacy OAuth flows, compromising Entra ID accounts despite the presence of multi-factor authentication (MFA).
Massive Login Attempts and Compromised Accounts
The cybersecurity firm Huntress is monitoring a significant increase in password-and-token spray activities aimed at Microsoft 365 and Azure CLI logins. Between June 12 and June 26, 2026, more than 81 million login attempts were recorded against Huntress’s customer tenants, resulting in the compromise of at least 78 accounts within 64 organizations.
Initial daily account compromises were relatively low, ranging from two to four, but saw a dramatic rise to 30 user identities across 23 businesses on June 22. This surge marks a significant escalation in the attack campaign.
Broader Trends and Attack Tactics
Huntress reports a 155-fold increase in credential spray volume over the past six months, with a current mean of approximately 1,964 failed attempts per tenant monthly. Attackers are opportunistically targeting credentials from previous breaches rather than focusing on specific industries.
The majority of attack traffic originates from the IPv6 range 2a0a:d683::/32, linked to the internet infrastructure provider LSHIY LLC. This company is associated with addresses in Hong Kong, Wuhan, and a shared office in New York, complicating efforts to trace their true operational base.
Exploiting Weaknesses in Authentication
The attackers exploit the OAuth Resource Owner Password Credentials (ROPC) flow by replaying previously breached credentials. This flow, deprecated in OAuth 2.1, allows attackers to bypass MFA by not requiring an interactive authorization step.
Huntress identified critical configuration gaps in many impacted tenants’ MFA and Conditional Access Policies (CAP). These include limiting MFA to specific apps or groups, misconfigured geolocation, and report-only policies that fail to enforce security controls.
Mitigation Strategies and Recommendations
Security experts, including Huntress, recommend treating Azure CLI and ROPC as high-risk areas, requiring adjustments to CAP configurations. Organizations should enforce MFA across all users and applications, block access where necessary, and ensure strong client-level authentication.
Disabling legacy grants and tightening named locations are crucial steps in enhancing security. Continuous testing of CAP behavior using tools like Microsoft’s “What If” simulator can help detect and correct policy weaknesses.
By implementing these measures, organizations can better protect against such large-scale cyber threats and secure their Microsoft 365 environments.
