Massive Password Spray Attack Hits Microsoft Azure Accounts

Hackers have been targeting Microsoft Azure CLI environments with a massive automated password spray campaign since June 12. The attack uses common passwords to avoid lockouts while exploiting weak or reused passwords.

In just two days, the attackers made over 30 million login attempts against Huntress customer accounts, breaking into 78 Microsoft accounts across 64 organizations. The traffic comes from an IPv6 range controlled by LSHIY LLC, a company registered in China.

The attack uses the OAuth ROPC flow, which bypasses multi-factor authentication (MFA) for some businesses that haven’t specifically blocked it. This allowed attackers to compromise 15 businesses with MFA enforced via Conditional Access Policy on June 22 alone.

To prevent similar attacks, Microsoft Azure admins need to ensure their CAPs cover all users, cloud apps, and client app types without exceptions. Enabling the userStrongAuthClientAuthNRequired setting can block ROPC flows outright. Restricting Azure CLI access for non-admin users also removes an attack surface.

The fix requires precision, but the targeting appears purely opportunistic, driven by which credentials appear most frequently in compromised password lists.

Source: https://securityaffairs.com/194588/uncategorized/azure-cli-targeted-in-lshiy-password-spray-campaign-across-64-orgs.html