Password Spray Campaign Compromises 78 Azure CLI Accounts Across 64 Organizations
What Happened — Huntress observed a large‑scale password‑spray operation targeting Microsoft Azure CLI environments from 12 June 2026. In just two weeks the attackers made more than 81 million login attempts, successfully compromising 78 Azure accounts belonging to 64 different organizations. The abuse leveraged the deprecated OAuth ROPC grant, bypassing MFA that was not applied to this flow.
Why It Matters for Compliance & Audit Readiness
- The incident is a textbook example of a credential‑compromise scenario that SOC 2 access‑control criteria (CC6.1, CC6.2) are designed to prevent and evidence.
- Gaps in MFA coverage for legacy authentication flows demonstrate the need for continuous control monitoring and documented policy enforcement.
- Demonstrating that you have disabled insecure grant types and can produce audit‑ready logs of authentication attempts satisfies both security and trust‑center evidence requirements.
Who Is Affected – Cloud‑service users, DevOps teams, and SaaS providers that rely on Azure CLI for automation; sectors span technology, finance, healthcare, and other enterprises using Microsoft Azure.
Recommended Actions
- Disable the OAuth ROPC flow or restrict it to service accounts with tightly‑scoped permissions.
- Extend Conditional Access policies to cover all token‑issuance endpoints, ensuring MFA is enforced for every credential‑based request.
- Enforce password‑complexity, rotation, and credential‑reuse detection; integrate with a password‑spray detection solution.
- Map these remediation steps to SOC 2 CC6.1 (Logical Access) and CC6.2 (Multi‑Factor Authentication) controls and capture evidence in your continuous‑compliance platform.
Source: Security Affairs
Technical Notes – Attackers replayed breached username/password pairs against the /token endpoint using the OAuth Resource Owner Password Credentials (ROPC) grant, which does not trigger MFA. The traffic originated from IPv6 range 2a0a:d683::/32, linked to LSHIY LLC, a provider with infrastructure in China, Hong Kong, and the United States.