"Between June 12 and June 26, the threat actor behind it made more than 81 million login attempts and successfully compromised at least 78 Microsoft accounts across 64 organizations," Huntress reported.
Scale and timeline: 81 million attempts, 78 accounts compromised
Security researchers at Huntress describe a "massive, ongoing, automated password spray attack" aimed at Microsoft's Azure command-line interface (CLI). According to Huntress, the campaign generated more than 81 million login attempts between June 12 and June 26, 2026. Those attempts produced a steady cadence of successful logins — typically two to four compromised accounts per day between June 12 and June 21 — with spikes on June 19 (12 identities) and a larger surge on June 22 when 30 identities across 23 businesses were impacted. In total Huntress attributes 78 user accounts compromised across 64 organizations to this activity.
Technique: ROPC, a deprecated OAuth flow, used to bypass Conditional Access
The operation weaponized a legacy OAuth 2.0 grant type known as Resource Owner Password Credentials (ROPC). Huntress says the campaign used ROPC to reach Azure CLI logins in a way that could avoid enforcement of Conditional Access Policies (CAPs). The source material notes that ROPC is a deprecated flow — deprecated in OAuth 2.1 — and that Microsoft advises against using it because "it's incompatible with multi-factor authentication (MFA)." Microsoft is quoted as saying, "In most scenarios, more secure alternatives are available and recommended" and warning that "This flow requires a very high degree of trust in the application, and carries risks that aren't present in other flows."
Infrastructure and attribution: LSHIY LLC (AS32167) and IPv6 range
Huntress traces the bulk of the activity to an IPv6 address range, 2a0a:d683::/32, controlled by internet infrastructure provider LSHIY LLC (AS32167). The company reported that most of the password spraying activity originated from that ASN; some of the IP addresses resolve to the U.S., while a few others resolve to China. Huntress also framed the campaign as part of a larger surge in credential spray operations, saying, "These attacks are part of a large wave of credential spray attacks across a few different ASNs," and noting the volume of credential spray attacks has surged by over 155 times across its customer base.
Where defenses failed: Conditional Access misconfigurations and stale credentials
Huntress describes multiple patterns that allowed the attackers to succeed despite organizations having some CAPs and MFA in place. The ROPC vector bypassed CAP enforcement in scenarios including:
- Enforcing MFA only for specific apps, rather than "All Cloud Apps," leaving Azure CLI logins uncovered.
- Enforcing MFA only for specific user groups such as admins, leaving non-admin identities vulnerable.
- Enforcing MFA only when requests originate from non-trusted locations, allowing logins that did not trigger additional checks.
Huntress added that eight affected businesses had no MFA policy at all. The company emphasized that attackers appeared to be reusing "old username/password combinations that were previously breached but had never been rotated." Huntress counseled that while "threat actors in this campaign were able to get in despite MFA being set up, the takeaway should not be that MFA doesn't work at all; instead, organizations should ensure that their MFA policies are properly configured to address the authorization flow used across these incidents."
What this means for security teams, procurement leaders, and end users
- Security teams: Prioritize CAP configuration to require MFA for "All Users," "All Cloud Apps," and "All Client App types," and consider restricting Azure CLI access for non-admin accounts to reduce the ROPC attack surface, Huntress advised.
- Procurement and IT leadership: Re-evaluate whether any applications still use ROPC and plan to replace or remove legacy authorization flows that Microsoft warns are incompatible with modern protections.
- End users and administrators: Rotate or retire credentials discovered on breached combo lists and apply MFA consistently across all apps and client types to close the gaps that allowed these compromises.
Huntress concluded that the incident "reveals cracks in CAPs that haven't been appropriately configured" and highlighted a practical weakness: legacy protocols like ROPC can bypass poorly configured CAPs entirely because they do not go through the authorization endpoint where policies are enforced. For defenders, the immediate steps are clear in the company’s guidance: require MFA broadly, restrict client app types where practical, and prioritize response by credential validity. The broader question left by the episode is whether legacy OAuth patterns remain sufficient to attract automated, large-scale abuse until they are universally retired.




