Azure CLI Password Spray Attack Exposes Microsoft 365 MFA Gap
ID: f9c21bec-c4e7-5222-9786-1726413152b3
STIX ID: report--f9c21bec-c4e7-5222-9786-1726413152b3
Feed Name: TechRepublic Security
Huntress observed a large-scale password-spray campaign (June 12–26, 2026) that leveraged Azure CLI ROPC noninteractive sign-ins to exploit Conditional Access gaps, producing over 81 million login attempts and resulting in at least 78 compromised Microsoft accounts across 64 organizations; activity was linked to IPv6 range 2a0a:d683::/32 (AS32167). The report highlights that MFA itself was not bypassed but was rendered ineffective where Conditional Access policies were narrowly scoped, left in report-only mode, or excluded trusted locations; recommended actions include broadening Conditional Access to cover all cloud apps and users, rotating exposed credentials, using service principals for automation, and monitoring Entra ID sign-in logs for ROPC/Azure CLI activity.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
