A password spray attack against Microsoft Azure CLI environments has been detected, targeting 64 organizations with over 81 million login attempts and resulting in 78 compromised accounts within just two weeks. The attackers utilized common password combinations through an OAuth method that bypasses multi-factor authentication (MFA), taking advantage of inadequate MFA configurations. Of the impacted businesses, many had MFA in place but it did not trigger due to specific limitations.
This campaign reflects a significant increase in credential spray attempts, emphasizing the need for comprehensive conditional access policies and stricter controls on OAuth flows to enhance security measures.