Cybersecurity firm Huntress has documented a large-scale password spray campaign targeting Microsoft 365 environments through the Azure CLI, resulting in the compromise of 78 user accounts across 64 organizations over a roughly two-week window ending June 21.

Scale and Timeline

Between June 12 and June 21, Huntress observed more than 81 million login attempts directed at its customer base. Attackers compromised two to four accounts per day throughout the period, with a notable spike around June 22 when 23 organizations were breached in a single day. The firm notes that credential spray attack volume across its customer base has grown by more than 155 times over the past six months, with a pronounced surge beginning in late May and early June.

The attacks appear to rely entirely on compromised password combo lists rather than targeted intelligence about individual victims.

OAuth ROPC: The Authentication Bypass

A key enabler of the campaign is the attackers’ use of the OAuth Resource Owner Password Credentials (ROPC) flow. ROPC, deprecated in OAuth 2.1, exchanges a username and password directly against the token endpoint to obtain a user-delegated access token. Because this flow does not support interactive authentication steps, it presents no MFA prompt to the user and bypasses MFA configurations that do not explicitly cover it.

Huntress found several MFA configuration weaknesses across affected organizations:

  • MFA not enforced for all cloud applications
  • MFA applied only to specific user groups
  • MFA required only for connections from non-trusted locations
  • MFA configured but never actually enforced
  • Eight affected businesses had no MFA policy at all

Huntress emphasized that the lesson is not that MFA is ineffective, but that policies must be scoped to cover all relevant authentication flows, including ROPC.

Infrastructure and Attribution

The majority of login attempts originated from AS32167, an autonomous system operated by LSHIY LLC, an internet infrastructure provider with registrations in Hong Kong, Wuhan (China), and New York. Additional reporting associates IPv6 ranges tied to AS32167 and AS955, both operated by LSHIY, with China-based infrastructure. Huntress submitted abuse reports to LSHIY through its designated reporting mechanism but received no response.

Recommended Actions

Security teams using Microsoft 365 and Azure should audit their Conditional Access and MFA policies to ensure ROPC-based authentication flows are explicitly addressed. Organizations should consider blocking or restricting ROPC entirely if it is not required by any legitimate application in their environment, and should review sign-in logs for unusual token issuance patterns originating from hosting ASNs.