
HUNTRESS has flagged a massive password‑spray campaign that used the Azure CLI to target Microsoft 365 tenants, recording more than eighty‑one million login attempts over a two‑week window and compromising seventy‑eight user accounts across sixty‑four organisations according to its research.
The attackers abused the deprecated OAuth ROPC (resource owner password credentials) flow, which allows a username and password to be exchanged for a token without triggering multi‑factor authentication prompts as reported by SecurityWeek. By automating these attempts through the Azure CLI they were able to cycle through credential lists quickly, exploiting tenants that either lacked MFA entirely or had poorly configured conditional access rules.
Huntress first observed the activity on 1 July 2026 at 06:12 UTC and noted the last malicious attempt at 08:11 UTC the same day, with the bulk of the traffic originating from an autonomous system linked to LSHIY LLC per The Hacker News. No specific threat actor has been attributed to the wave, and the security researcher has not identified any associated CVEs for the abuse of the legacy authentication method.
The incident highlights the continuing danger of legacy authentication protocols in cloud environments, showing that even organisations that have enabled MFA can be left exposed when older flows remain active. Huntress contacted LSHIY to report the source of the traffic but has not received a response, highlighting the difficulty of mitigating abuse that stems from compromised or misused network resources.
Administrators should immediately review Azure AD sign‑in logs for any ROPC authentication attempts and block that protocol through conditional access policies that disable legacy authentication as advised by Huntress. Enforcing phishing‑resistant MFA for all administrative and user accounts, coupled with strict password‑spray protection such as smart lockout thresholds, will reduce the chance of success for future credential‑guessing attacks.
Organisations are also advised to limit Azure CLI access to only those accounts that require it, monitor for unusual volumes of failed sign‑ins from a single IP or ASN, and enable identity protection features that flag risky sign‑in behaviour in line with industry recommendations. Following the guidance published by Huntress in their blog post will help security teams stay ahead of similar spray campaigns that exploit outdated authentication pathways.