Azure CLI Password Spray Hits at Least 78 Microsoft Accounts in 81M+ Attempts
ID: bf762e66-132e-5da4-b4ce-d563127a2ace
STIX ID: report--bf762e66-132e-5da4-b4ce-d563127a2ace
Feed Name: The Hacker News
Cybersecurity researchers observed a massive automated password-spray campaign (June 12–26, 2026) originating largely from an IPv6 range owned by LSHIY LLC that performed over 81 million login attempts and successfully compromised 78 Microsoft accounts across 64 organizations by abusing the legacy ROPC OAuth flow to circumvent Conditional Access and misconfigured MFA. Organizations are advised to require MFA for all users/apps/client types, restrict Azure CLI for non-admins, and prioritize credential validity and CAP configuration to mitigate this vector.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
