Thu, 2 Jul
34°C

New Delhi

Partly Cloudy
Feels Like
38°C
Humidity
62%
Wind Speed
14 km/h
Visibility
8 km
UV Index
8 (Moderate)
Pressure
1008 hPa
Hourly Forecast
18:00
34°C
20%
19:00
34°C
25%
20:00
33°C
30%
21:00
33°C
35%
22:00
32°C
40%
23:00
32°C
45%
7-Day Forecast
Today
Partly Cloudy
26°C
35°C
Fri
Partly Cloudy
26°C
35°C
Sat
Partly Cloudy
26°C
35°C
Sun
Partly Cloudy
26°C
34°C
Mon
Partly Cloudy
27°C
34°C
Tue
Partly Cloudy
27°C
34°C
Wed
Partly Cloudy
27°C
33°C
DNI
BREAKING
Daily News Insights: AI-Powered News Platform — Updated On DemandBreaking coverage from India and the world, synthesized by Gemini 1.5 FlashLive pipeline: Firecrawl extraction • Supabase storage • Upstash caching
Home/Tech

Massive Password Spray Campaign Exploits Legacy Azure CLI Auth Flow

DNI
Daily News Insights Editorial Desk
WEDNESDAY, 1 JULY 2026 AT 02:31 PM·4 MIN READ
Massive Password Spray Campaign Exploits Legacy Azure CLI Auth Flow
Openverse
IMAGE: DAILY NEWS INSIGHTS / NEWS DATA LABS

IR SUMMARY — KEY POINTS

  • Cybersecurity researchers at Huntress have identified a large-scale automated password spray campaign targeting Microsoft Azure command-line interface environments since mid-June 2026.
  • The malicious activity originates primarily from IPv6 infrastructure provided by LSHIY LLC, impacting at least 78 user accounts across 64 distinct organizations.
  • Threat actors are successfully bypassing standard security protocols by abusing a deprecated OAuth flow that fails to trigger modern multi-factor authentication checks.
  • Experts emphasize that while many organizations have enabled conditional access policies, incomplete enforcement of authentication requirements left significant gaps in their security posture.
  • Security professionals urge immediate remediation by disabling legacy authentication flows and ensuring that all cloud applications are strictly protected by modern protocols.
IN-DEPTH ANALYSIS
TechBusiness

A sophisticated and automated password spray campaign is currently targeting the Microsoft Azure command-line interface, resulting in a series of unauthorized account access events across a diverse range of sectors. Cybersecurity firm Huntress recently reported that threat actors have launched over 81 million login attempts in a two-week period. By leveraging compromised credential lists, the attackers successfully breached at least 78 accounts. This incident highlights a recurring vulnerability where legacy authentication methods continue to provide a gateway for malicious actors despite the widespread availability of modern identity protection mechanisms for enterprise environments.

Exploiting Legacy Authentication Gaps

The operational heart of this attack involves the abuse of the Resource Owner Password Credentials flow, an older authentication method that is technically deprecated in modern standards. Because this specific flow does not support interactive prompts, it effectively bypasses multi-factor authentication requirements that organizations assume are globally protecting their infrastructure. The attackers have cleverly exploited this blind spot, allowing them to validate stolen passwords without triggering the security challenges that would normally stop a brute-force or spraying attempt in its tracks. This demonstrates a critical disconnect between organizational security policy and legacy system support.

Investigators have traced the bulk of the malicious traffic to an IPv6 address range operated by infrastructure provider LSHIY LLC. The scale of the attempt—averaging millions of daily requests—indicates a highly automated infrastructure designed for efficiency and persistence. While the campaign hit a peak of activity on June 22, the persistence shown by the actors suggests that they are not easily deterred by basic rate-limiting or standard perimeter defenses. This underscores the need for organizations to look beyond simple volume-based detection and implement more robust identity-centric monitoring for their cloud environments.

The malicious campaign executed over 81 million login attempts in a two-week window targeting Microsoft Azure environments.

Infrastructure Behind The Attacks

The impact of this campaign is further compounded by inconsistent configuration of security policies within the victim organizations. Even entities that believed they were protected by Conditional Access Policies found that their defenses were incomplete because they failed to enforce authentication requirements across all potential access vectors. In several instances, companies had implemented multi-factor authentication but left specific cloud applications or legacy flows exempt from these mandates. This oversight created a path of least resistance that the attackers were able to exploit with remarkable precision during their widespread spraying efforts.

This surge in activity serves as a stark reminder of the risks associated with maintaining legacy interoperability in modern cloud architectures. While vendors like Microsoft have long discouraged the use of the ROPC grant type, the operational burden of shifting away from these older configurations often results in them remaining active in production environments. As long as these pathways remain reachable, they will continue to serve as attractive targets for threat actors who specialize in credential stuffing and low-complexity, high-volume automated attacks against enterprise infrastructure globally.

Policy Enforcement And Weaknesses

The geopolitical and operational origins of the infrastructure remain a point of interest for researchers, with some indicators pointing to activity clusters involving LSHIY LLC across different autonomous systems. While the primary focus of this campaign is opportunistic credential testing, the potential for these account takeovers to serve as a bridgehead for further malicious activities remains a major concern for information security teams. Companies must now audit their entire cloud footprint to identify any remaining dependencies on deprecated authentication flows that could be leveraged by sophisticated adversaries seeking persistent access.

At least 78 user accounts were successfully compromised across 64 different organizations due to the abuse of legacy authentication flows.

To effectively mitigate the risks highlighted by this incident, experts recommend a comprehensive review of Azure CLI access logs and the immediate disabling of any legacy authentication protocols that lack support for modern security challenges. Organizations should move toward passwordless authentication or enforce strict hardware-backed multi-factor authentication wherever possible. Relying on default configurations is no longer sufficient in an era where automated tools can quickly scan entire organizations for the smallest cracks in their defensive armor, especially regarding long-standing enterprise cloud identity management.

Proactive Defense Against Automation

As security teams analyze the remnants of this campaign, the industry must prepare for a future where automated credential abuse becomes increasingly pervasive and difficult to block without advanced Threat Intelligence integrations. Future efforts to harden the cloud must prioritize the decommissioning of legacy grant types to ensure that modern security protections cannot be sidestepped. By closing these specific technical vulnerabilities, organizations can significantly raise the cost of entry for attackers, effectively turning these widespread automated campaigns into futile exercises that yield nothing but wasted effort for the malicious actors involved.

KEY TAKEAWAYS

The attacks relied on a deprecated OAuth grant type that bypasses modern multi-factor authentication requirements completely.

The majority of the malicious traffic was traced to a specific IPv6 range controlled by the infrastructure provider LSHIY LLC.

How do you feel about this story?

More Stories

Share This Story

Choose a platform to share this article

Massive Password Spray Campaign Exploits Legacy Azure CLI Auth Flow | Daily News Insights