Particle.news

Massive Password-Spray Flood Targets Azure CLI, Compromises Dozens

Researchers say attackers used a deprecated OAuth flow to bypass some Conditional Access and MFA protections and traced most traffic to an IPv6 range linked to LSHIY.

Overview

  • The automated campaign made more than 81 million login attempts between June 12 and June 26 and resulted in at least 78 compromised Microsoft accounts across 64 organizations.
  • Attackers relied on the deprecated OAuth Resource Owner Password Credentials (ROPC) flow, which sends usernames and passwords directly to the token endpoint and does not support interactive MFA or single sign-on.
  • Because ROPC does not trigger modern MFA prompts, logins succeeded when Conditional Access was scoped only to certain apps, groups, locations, or client types, and eight impacted businesses had no MFA policy at all.
  • Huntress traced most of the traffic to an IPv6 range (2a0a:d683::/32) tied to LSHIY (AS32167), reported the abuse to the provider, and said it received no response.
  • Researchers warn admins to rotate breached credentials, require MFA for all users and all cloud and client app types, block legacy auth like ROPC, and limit Azure CLI access for non-admins to prevent further compromises.