# Password-Spray Campaign Hits Azure CLI, Exposing MFA Weak Spots in Cloud Defense

*Wednesday, July 1, 2026 at 6:09 AM UTC — Hamer Intelligence Services Desk*

**Published**: 2026-07-01T06:09:21.323Z (8h ago)
**Category**: cyber | **Region**: Global
**Importance**: 8/10
**Sources**: OSINT
**Permalink**: https://hamerintel.com/data/articles/9465.md
**Source**: https://hamerintel.com/summaries

---

**Deck**: A massive password-spraying campaign between June 12 and 26 used old breached credentials and a deprecated OAuth flow to make more than 81 million Azure CLI login attempts, compromising at least 78 Microsoft accounts. The incident shows how attackers can sidestep multi-factor authentication and exploit legacy features in widely used cloud platforms, with implications for enterprises and public-sector networks worldwide.

A recent wave of attacks on Microsoft’s cloud platform is forcing a blunt reassessment of how secure multi-factor authentication really is in practice. Between 12 and 26 June, a password-spraying campaign using the Azure command-line interface (CLI) racked up more than 81 million login attempts and successfully compromised at least 78 Microsoft accounts, according to a detailed technical write-up.

The attackers relied on a familiar but still effective tactic: taking passwords exposed in previous data breaches and trying them at scale against Azure accounts, betting that many users reuse credentials or make only minor changes over time. What set this campaign apart was its use of a deprecated OAuth flow known as Resource Owner Password Credentials (ROPC), which allowed the attackers to authenticate directly against Azure Active Directory via the CLI.

In many of the compromised cases, multi-factor authentication (MFA) was nominally enabled. Yet the way Azure CLI sign-ins were handled meant that the attackers could still obtain tokens without triggering the expected second-factor checks. That gap turned a supposed safety net into a partial illusion for organizations that believed accounts with MFA were largely insulated from password-based attacks.

For enterprises and government agencies building their infrastructure on Microsoft’s cloud, the episode is a sobering illustration of how legacy authentication flows and edge-case configurations can undermine headline security features. Administrators may have disabled ROPC for most scenarios, only to find that certain service accounts, automated processes or overlooked policies still permitted its use. Attackers, scanning documentation and probing responses, appear to have found enough of those cracks to make the campaign worthwhile.

Operationally, at least 78 accounts being compromised is more than a technical footnote. Even brief unauthorized access to Azure identities can allow intruders to read email, exfiltrate data from cloud storage, manipulate application settings or pivot deeper into on-premises networks connected via hybrid configurations. The scale of the 81-million-attempt spray also means that many more organizations had their defenses quietly tested, even if no accounts were ultimately breached.

Strategically, the incident highlights an uncomfortable asymmetry in cloud security. Platform providers can promote MFA and modern protocols, but as long as backward-compatible and deprecated options remain available for special cases, attackers will seek them out. For CISOs and IT teams, the challenge is not only to enable stronger protections, but to aggressively prune old authentication methods and audit every exception—tasks that are difficult in sprawling, multi-tenant environments with legacy workloads.

The campaign also underscores how much of modern cyber risk is bound up with a small number of hyperscale platforms. A flaw or weak spot in one provider’s authentication flows can have ripple effects across thousands of businesses, critical infrastructure operators and public institutions that rely on the same building blocks for identity and access management.

MFA, the incident shows, is not a magic shield; it is only as strong as the least-protected door it is attached to.

In the near term, watch for advisories and configuration guidance from Microsoft on hardening Azure CLI and disabling ROPC wherever possible, as well as for follow-on reports from organizations that discover suspicious CLI logins during the June attack window. Regulators and auditors are also likely to take a closer look at how cloud providers handle deprecated authentication flows—turning what began as a technical story into a broader debate over shared responsibility in the cloud era.
