HomeIntelligenceBrief
BREACH BRIEF🟠 High Breach

Password Spray Campaign Compromises 78 Azure CLI Accounts Across 64 Organizations

A coordinated password‑spray attack against Azure CLI succeeded in breaching 78 accounts in 64 firms by abusing the deprecated OAuth ROPC flow, which bypassed MFA. The breach highlights the need for SOC 2‑aligned access‑control enforcement and continuous audit evidence.

LiveThreat™ Intelligence · 📅 July 01, 2026· 📰 securityaffairs.com
🟠
Severity
High
BR
Type
Breach
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
securityaffairs.com

Password Spray Campaign Compromises 78 Azure CLI Accounts Across 64 Organizations

What Happened — Huntress observed a large‑scale password‑spray operation targeting Microsoft Azure CLI environments from 12 June 2026. In just two weeks the attackers made more than 81 million login attempts, successfully compromising 78 Azure accounts belonging to 64 different organizations. The abuse leveraged the deprecated OAuth ROPC grant, bypassing MFA that was not applied to this flow.

Why It Matters for Compliance & Audit Readiness

  • The incident is a textbook example of a credential‑compromise scenario that SOC 2 access‑control criteria (CC6.1, CC6.2) are designed to prevent and evidence.
  • Gaps in MFA coverage for legacy authentication flows demonstrate the need for continuous control monitoring and documented policy enforcement.
  • Demonstrating that you have disabled insecure grant types and can produce audit‑ready logs of authentication attempts satisfies both security and trust‑center evidence requirements.

Who Is Affected – Cloud‑service users, DevOps teams, and SaaS providers that rely on Azure CLI for automation; sectors span technology, finance, healthcare, and other enterprises using Microsoft Azure.

Recommended Actions

  • Disable the OAuth ROPC flow or restrict it to service accounts with tightly‑scoped permissions.
  • Extend Conditional Access policies to cover all token‑issuance endpoints, ensuring MFA is enforced for every credential‑based request.
  • Enforce password‑complexity, rotation, and credential‑reuse detection; integrate with a password‑spray detection solution.
  • Map these remediation steps to SOC 2 CC6.1 (Logical Access) and CC6.2 (Multi‑Factor Authentication) controls and capture evidence in your continuous‑compliance platform.

Source: Security Affairs

Technical Notes – Attackers replayed breached username/password pairs against the /token endpoint using the OAuth Resource Owner Password Credentials (ROPC) grant, which does not trigger MFA. The traffic originated from IPv6 range 2a0a:d683::/32, linked to LSHIY LLC, a provider with infrastructure in China, Hong Kong, and the United States.

📰 Original Source
https://securityaffairs.com/194588/uncategorized/azure-cli-targeted-in-lshiy-password-spray-campaign-across-64-orgs.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Could you prove your access controls held up here?

Credential and access failures map directly to SOC 2 access-control criteria. The Verisq AI Trust Operations platform shows where your evidence is thin before an auditor — or an attacker — finds out.

Explore the Verisq AI Trust Operations platform →