
81 Million Password Spray Attempts Against Azure CLI: What the MFA Gaps Tell Us
What Happened
Cybersecurity firm Huntress recently reported a large-scale password spray campaign targeting Microsoft 365 environments through the Azure CLI. According to the report covered by SecurityWeek, researchers observed more than 81 million login attempts against their customers between June 12 and 21. By the end of that window, 78 user accounts across 64 organizations had reportedly been compromised — at a rate of two to four accounts per day, with a notable spike around June 22 when 23 businesses were affected in a single day.
Huntress attributed the bulk of the activity to an autonomous system linked to internet hosting provider LSHIY LLC. The firm said it reported the malicious behavior through LSHIY’s abuse mechanism but received no reply. Notably, Huntress also observed that credential spray attack volume across its customer base had grown by more than 155 times over the prior six months — a stark indicator that this style of attack is accelerating, not fading.
The OAuth ROPC Blind Spot
What makes this campaign particularly instructive is how attackers reportedly bypassed multi-factor authentication. The method at the center of the campaign was the OAuth Resource Owner Password Credentials (ROPC) flow — a legacy authentication method that was deprecated in OAuth 2.1 precisely because it lacks support for modern security controls like MFA and single sign-on.
In practical terms, ROPC passes credentials directly to a token endpoint without triggering an interactive MFA prompt. That means an attacker armed with a valid username and password can obtain an authentication token without the user ever being asked to approve a second factor — even if MFA has been deployed.
The attacks were reportedly fueled by compromised password combo lists, underscoring the enduring risk that reused or previously exposed credentials pose to enterprise environments.
Where MFA Policies Fell Short
Huntress’s analysis of compromised organizations revealed a range of MFA configuration weaknesses:
- MFA was not enforced across all cloud applications
- Enforcement applied only to certain user groups, leaving others unprotected
- MFA was required only for logins from non-trusted locations
- MFA policies existed in configuration but were never actually enforced
- Eight of the affected businesses had no MFA policy whatsoever
Huntress was careful to note that the takeaway should not be that MFA is ineffective overall. Rather, the lesson is that MFA policies must be deliberately scoped to cover the specific authentication flows in use — including legacy flows like ROPC that bypass standard interactive prompts.
This is a meaningful distinction for security teams. A policy that enforces MFA for browser-based logins but leaves service tokens or legacy auth flows uncovered can create a false sense of protection. Attackers are clearly aware of these gaps and are exploiting them at scale.
Credential Hygiene and Policy Coverage: The Combined Defense
This campaign illustrates two compounding vulnerabilities that frequently appear together: weak or reused passwords and incomplete MFA coverage. Addressing either one alone leaves the other as an exploitable path.
Credentials that appear in combo lists — typically assembled from prior breaches — are only useful to an attacker if they still work. Organizations that enforce unique, strong passwords for every account and monitor for credential exposure on the dark web significantly narrow the attack surface before a spray attempt even begins. Tools purpose-built for enterprise password management and credential monitoring, including those in Keeper Security’s portfolio, are designed specifically to address this layer of risk.
Beyond credential quality, this incident reinforces the importance of treating MFA as a policy discipline, not just a feature toggle. Security teams should audit which authentication flows are active in their environments, verify that conditional access policies cover all of them — legacy flows included — and regularly test enforcement rather than assuming configuration equals protection.
Password spray attacks succeed through volume and patience. The defenses that stop them are less about any single control and more about ensuring that every layer of authentication coverage is both correctly configured and consistently applied.
Reporting: Source
Ready to close the credential gap?
As a Keeper partner, Applied IAM deploys and runs Keeper across password management, dark web monitoring, secrets, and privileged access.
Talk to us about Keeper →