Massive Azure CLI credential spray uses legacy flow to bypass MFA, hits 78 accounts

Security researchers warn of a large-scale, automated password-spray against Microsoft Azure CLI that logged over 81 million login attempts and compromised at least 78 Microsoft accounts across 64 organizations. The attackers used the deprecated OAuth 2.0 Resource Owner Password Credentials (ROPC) flow to bypass Conditional Access policies, targeting credentials from breached lists and exploiting MFA configurations that didn’t cover Azure CLI logins. The activity originated largely from an IPv6 range linked to LSHIY LLC (AS32167). Recommendations include enforcing MFA for all users and apps, restricting the Azure CLI app to non-admins, and ensuring CAPs are fully configured to close gaps exposed by ROPC.
Reading Insights
0
13
3 min
vs 4 min read
86%
719 → 103 words
Want the full story? Read the original article
Read on The Hacker News