Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: password-spray (1 article)Clear

Azure CLI password spray compromises 78 Microsoft accounts by bypassing MFA

Huntress is tracking a large automated password-spray campaign against Microsoft 365 that has made more than 81 million login attempts through the Azure CLI in two weeks and broken into 78 accounts across 64 organizations. The attackers replay old username and password pairs from breach data against an authentication flow that sends credentials straight to the token endpoint without triggering interactive multi-factor authentication, so weak or reused passwords give them direct access. Several victims had MFA, but it was scoped only to admins, only to certain apps, or only to untrusted locations, and so did not cover this path. The traffic comes from infrastructure whose address ranges trace back to China.

Check
Review whether your multi-factor authentication and Conditional Access policies cover every sign-in path, including the Azure CLI and token-endpoint flows, not just web portals and admin accounts, and hunt for password-spray bursts.
Affected
Microsoft 365 organizations with weak or reused passwords, incomplete MFA, or Conditional Access gaps; attackers use a credential flow that skips interactive MFA to break in through the Azure CLI.
Fix
Enforce phishing-resistant MFA across all users, apps, and authentication flows, block legacy and password-based credential grants, apply Conditional Access to CLI access, and monitor sign-in logs for spray patterns and suspicious networks.