threat-wire
Password Spray Attack Bypasses MFA on 78 Azure Accounts
An automated password spray campaign made more than 81 million login attempts against Azure in two weeks and compromised 78 accounts across 64 organizations, several of which had multi-factor authentication switched on. The attackers got in by using a legacy login method that skips MFA prompts entirely.
By SecureBusinessHub Editorial, International cybersecurity desk — · 5 min read
81 million. That's how many login attempts a single attacker group threw at Azure's command-line interface between June 12 and June 26, according to Huntress. 78 accounts across 64 organizations gave way.
How they got past MFA
The attackers used a deprecated OAuth flow called Resource Owner Password Credentials, or ROPC, where a username and password go straight to the token endpoint and an access token comes back with no interactive login screen and no MFA prompt in between. Microsoft has recommended against ROPC for years precisely because it doesn't work well with MFA, but nothing stops an application from still using it if it's technically enabled.
That's the part that matters here. Several of the breached organizations had Conditional Access policies requiring MFA. Those policies simply never fired, because ROPC logins don't pass through the interactive authorization endpoint where Conditional Access rules get enforced. Eight of the 64 organizations had no MFA policy at all, but the rest thought they were covered and weren't.
The numbers behind the campaign
- Attack window: June 12 to June 26, 2026
- More than 81 million login attempts recorded
- 78 accounts compromised across 64 organizations
- Traffic traced to the IPv6 range 2a0a:d683::/32, run by internet infrastructure provider LSHIY LLC (AS32167)
- Huntress recorded a 155-times increase in credential-spray volume across its customer base since late May
The targeting itself was indiscriminate. Huntress said the attacks are based entirely on which passwords show up most often in breached credential lists, not on industry or company size, which is exactly why a small business is just as likely a target as a large one.
Huntress also noted the campaign wasn't a one-off spike. The daily pace held at roughly two to four compromised accounts through most of June, jumped to twelve on June 19, then jumped again to thirty accounts across twenty-three businesses on June 22. Steady, patient credential testing like that is easy to miss in a sea of routine failed logins, which is exactly why it worked for two weeks before anyone outside the attacker's own infrastructure noticed.
Are you exposed?
- In Microsoft Entra ID, check whether your Conditional Access policies are scoped to 'All cloud apps' and 'All client app types.' If they only cover browser sign-ins, ROPC logins slip through untouched.
- Search your Entra sign-in logs for grant type 'password' or client 'Azure CLI' entries, especially spikes from unfamiliar ASNs.
- Confirm whether the Azure CLI application is restricted to admin accounts, since most staff have no everyday reason to authenticate through it.
What to do
Rebuild your Conditional Access policies to explicitly cover every client app type, not just interactive browser logins. Restrict who can use the Azure CLI's non-interactive sign-in path, and treat any password that has ever appeared in a breach as compromised, whether or not it was ever used successfully against you.