Signal
Massive password spray attack targets Microsoft Azure CLI, bypassing MFA
Evidence first: scan the strongest sources, then decide whether to go deeper.
Published 2026-07-01 18:18 UTCUpdated 2026-07-02 14:45 UTC
rss
cveexploitsbreachessecurity_toolingincident_response
Trend in the last 24h
Current brief openSource links open
This current signal is open on the public brief with summary, metadata, source links, and full evidence. Pro adds compare-over-time, alerts, exports, and workflow.
No card needed for the free brief.
Evidence trail (top sources)
top sources (2 domains)domains are deduped. counts indicate coverage, not truth.2 top sources shown
limited source diversity in top sources
Overview
A large-scale password spraying campaign targeted Microsoft Azure CLI by exploiting a deprecated OAuth 2.0 authentication flow called Resource Owner Password Credentials (ROPC).
Entities
MicrosoftAzure CLIOAuth 2.0
Score total
0.98
Momentum 24h
3
Posts
3
Origins
2
Source types
1
Duplicate ratio
0%
Why now
- The attack occurred recently between June 12 and June 26, 2026, indicating an ongoing threat to Azure users.
- It exposes a vulnerability in legacy OAuth flows still in use, emphasizing the need for immediate remediation.
- The scale of login attempts and account compromises signals a sophisticated and automated campaign requiring prompt attention.
Why it matters
- The attack demonstrates how deprecated authentication protocols can be exploited to bypass MFA, a critical security control.
- Compromise of multiple accounts across many organizations highlights the widespread impact of such attacks on cloud infrastructure.
- Organizations relying on Azure CLI and OAuth 2.0 should urgently review and update their authentication methods to mitigate risk.
LLM analysis
Topic mix: lowPromo risk: lowSource quality: medium
Recurring claims
- Attackers used a deprecated OAuth 2.0 flow (ROPC) to bypass MFA and conduct a massive password spraying campaign against Azure CLI accounts.
- At least 78 Microsoft accounts across 64 organizations were compromised during the attack involving over 81 million login attempts.
How sources frame it
- BankInfoSecurity: neutral
- SC Media: neutral
This incident highlights the risks of relying on deprecated authentication flows in cloud environments and the importance of enforcing modern MFA protections.
All evidence
All evidence
SC Media
scworld.com · scworld.com · 2026-07-02 14:45 UTC
BankInfoSecurity
bankinfosecurity.com · bankinfosecurity.com · 2026-07-01 18:18 UTC
Microsoft Azure’s CLI target of automated password spray attacks
SC Media · scworld.com · 2026-07-01 19:10 UTC
Show filters & breakdown
Posts loaded: 0Publishers: 3Origin domains: 2Duplicates: -
Showing 3 / 0
Top publishers (this list)
- scworld.com (1)
- bankinfosecurity.com (1)
- SC Media (1)
Top origin domains (this list)
- scworld.com (2)
- bankinfosecurity.com (1)