What's Happening?
A significant cybersecurity threat has emerged as hackers conduct a massive password spray campaign targeting the Azure CLI, compromising Microsoft 365 environments. According to cybersecurity firm Huntress, between June 12 and 21, over 81 million login
attempts were observed, resulting in the compromise of 78 user accounts across 64 organizations. The attacks, originating from systems associated with hosting provider LSHIY, involved 2-4 account compromises daily, with a notable spike on June 22 affecting 23 businesses. The attackers utilized the OAuth ROPC flow, which, despite being deprecated in OAuth 2.1, allowed them to bypass multi-factor authentication (MFA) if not properly configured. Huntress identified weaknesses in MFA configurations, noting that some businesses had no MFA policy at all, while others had incomplete enforcement.
Why It's Important?
This campaign highlights the vulnerabilities in current cybersecurity practices, particularly concerning MFA configurations. The ability of attackers to bypass MFA by exploiting the OAuth ROPC flow underscores the need for organizations to review and strengthen their security protocols. The incident serves as a wake-up call for businesses relying on cloud services, emphasizing the importance of comprehensive MFA policies that cover all authentication flows. The broader impact on U.S. industries could be significant, as compromised accounts may lead to data breaches, financial losses, and reputational damage. This event also raises concerns about the security of cloud-based services and the need for continuous monitoring and updating of security measures.
What's Next?
Organizations affected by this campaign are likely to reassess their security strategies, particularly their MFA configurations. There may be increased pressure on cloud service providers like Microsoft to enhance their security offerings and provide clearer guidance on securing authentication flows. Additionally, cybersecurity firms may develop new tools and strategies to detect and mitigate such attacks. Regulatory bodies could also step in to establish stricter security standards for cloud services, potentially leading to new compliance requirements for businesses. The response from LSHIY, the hosting provider linked to the attacks, remains uncertain, but further scrutiny and potential legal actions could follow if the malicious activity continues.

















