Signal

Massive password spray campaign targets microsoft azure CLI accounts

Evidence first: scan the strongest sources, then decide whether to go deeper.

Published 2026-07-01 05:46 UTCUpdated 2026-07-01 19:10 UTC
rss
cveexploitssecurity_toolingincident_response
Trend in the last 24h
Current brief openSource links open
This current signal is open on the public brief with summary, metadata, source links, and full evidence. Pro adds compare-over-time, alerts, exports, and workflow.
No card needed for the free brief.
Evidence trail (top sources)
top sources (4 domains)domains are deduped. counts indicate coverage, not truth.
4 top sources shown
The Hacker News
thehackernews.com · thehackernews.com · 2026-07-01 05:46 UTC
Overview

A large-scale automated password spraying attack has targeted Microsoft's Azure CLI, resulting in at least 78 compromised accounts across 64 organizations.

Entities
MicrosoftLSHIY LLC
Score total
1.43
Momentum 24h
4
Posts
4
Origins
4
Source types
1
Duplicate ratio
0%
Why now
  • The campaign is ongoing with recent activity between June 12 and June 26, 2026.
  • Attackers exploit deprecated OAuth 2.0 flows, a known but unmitigated vulnerability.
  • Microsoft Azure CLI users must urgently review and strengthen their security configurations.
Why it matters
  • The attack compromises cloud infrastructure access, risking data breaches and service disruptions.
  • Bypassing MFA weakens a critical security control, increasing account takeover risks.
  • Highlights the need to update and secure authentication protocols in cloud services.
LLM analysis
Topic mix: lowPromo risk: lowSource quality: medium
Recurring claims
  • Attackers conducted over 81 million password spray login attempts targeting Azure CLI accounts.
  • At least 78 Microsoft Azure accounts across 64 organizations were compromised in the attack.
  • Attackers bypassed multifactor authentication by abusing a deprecated OAuth 2.0 authentication flow.
This incident reveals a sophisticated password spraying campaign exploiting legacy OAuth flows to bypass MFA, emphasizing the importance of updating authentication methods in cloud environments.
All evidence
All evidence
The Hacker News
thehackernews.com · thehackernews.com · 2026-07-01 05:46 UTC
Microsoft Azure’s CLI target of automated password spray attacks
SC Media · scworld.com · 2026-07-01 19:10 UTC
Azure Password-Spraying Attack Bypasses MFA Defenses
BankInfoSecurity · bankinfosecurity.com · 2026-07-01 18:18 UTC
Massive Password Spray Campaign Targeting Azure CLI
SecurityWeek · securityweek.com · 2026-07-01 07:46 UTC
Show filters & breakdown
Posts loaded: 0Publishers: 4Origin domains: 4Duplicates: -
Showing 4 / 0
Top publishers (this list)
  • thehackernews.com (1)
  • SC Media (1)
  • BankInfoSecurity (1)
  • SecurityWeek (1)
Top origin domains (this list)
  • thehackernews.com (1)
  • scworld.com (1)
  • bankinfosecurity.com (1)
  • securityweek.com (1)