
Azure CLI Password-Spray Campaign Exposes Weak Link in Cloud Login Defenses
A large-scale password-spray campaign from June 12–26 attempted more than 81 million Azure CLI logins, compromising at least 78 Microsoft accounts by exploiting old passwords and a deprecated OAuth flow. The incident shows how attackers are probing overlooked corners of cloud authentication, with implications for any organization that leans on Azure and assumes multi-factor authentication is enough.
A sustained password-spray campaign against Microsoft Azure sign-ins has exposed how attackers can still slip past multi-factor authentication by exploiting lesser-known login paths. Between 12 and 26 June, threat actors carried out more than 81 million Azure CLI login attempts and managed to compromise at least 78 Microsoft accounts, according to a technical disclosure.
Investigators say the attackers leaned on two main advantages: troves of old breached passwords and the continued exposure of a deprecated OAuth flow known as Resource Owner Password Credentials (ROPC). In many of the compromised cases, multi-factor authentication (MFA) was enabled, but Azure CLI sign-ins using ROPC remained a weakness, allowing attackers to authenticate with just a username and password in scenarios where organizations had not fully closed that path.
For corporate users of Azure, the numbers are a warning that the most dangerous vulnerabilities are sometimes not zero-day exploits but misconfigurations and legacy features that linger on the edges of cloud environments. Password spraying—trying a few common or previously stolen passwords across many accounts to avoid triggering lockouts—remains a low-cost, scalable tactic. When combined with an authentication flow that treats a password as enough, it can yield access even in systems advertised as MFA-protected.
The immediate victims include at least 78 accounts whose credentials were successfully validated. While the disclosure did not detail which organizations those accounts belonged to or what data was accessed, any foothold in a Microsoft tenant can serve as a launching pad. Attackers who obtain initial access can attempt to escalate privileges, move laterally into more sensitive resources, or plant persistence mechanisms that survive password resets.
Strategically, the campaign highlights a broader tension in cloud security. Providers are under pressure to maintain backwards compatibility and to support a wide range of tools and scripts, such as the Azure CLI, that enterprises rely on daily. At the same time, every legacy feature left enabled creates an additional surface area. Many organizations assume that enforcing MFA at a policy level covers most risk; this incident suggests that assumptions about how and where MFA is actually enforced can be dangerously optimistic.
The episode also lands in an environment where cloud identity has become a prime target for state-linked and criminal groups. Access to a single cloud account can expose email, code repositories, virtual machines and data stores that were once separated across on-premises systems. The line between a “simple” login compromise and a strategic breach of intellectual property or sensitive communications is thinner than many boards and executives appreciate.
A useful lesson emerges for defenders: closing headline vulnerabilities is important, but the attack surface often shrinks fastest when organizations retire old authentication methods, audit all login flows—not just web portals—and reduce reliance on passwords that have appeared in previous breaches. Cloud security is increasingly about cleaning up the long tail of legacy settings rather than chasing the latest exploit alone.
In the near term, security teams will be watching whether Microsoft accelerates efforts to disable or further restrict the ROPC flow, how many additional tenants discover suspicious Azure CLI login attempts in their logs, and whether similar campaigns pivot to other command-line tools and identity providers once this vector becomes harder to abuse.
Sources
- OSINT