Published: · Region: Global · Category: cyber

CONTEXT IMAGE
American multinational technology company
Context image; not from the reported event. Photo via Wikimedia Commons / Wikipedia: Microsoft

Massive Azure Login Attack Exposes How Legacy Auth Flows Put Cloud Tenants at Risk

A password-spraying campaign between 12–26 June saw more than 81 million Azure CLI login attempts and compromised at least 78 Microsoft accounts, security researchers report. The attackers exploited old breached passwords and a deprecated OAuth flow, raising fresh questions about how legacy authentication methods keep cloud tenants, MFA or not, on the firing line.

One of the largest recorded password‑spraying campaigns against Microsoft’s cloud has highlighted how legacy authentication flows can turn old credential leaks into fresh compromises, even in environments that use multi‑factor authentication. Between 12 and 26 June, attackers fired off over 81 million Azure CLI login attempts and successfully breached at least 78 Microsoft accounts, according to a detailed analysis by security researchers.

Investigators say the operation leaned on familiar building blocks—recycled passwords from previous data breaches and the Resource Owner Password Credentials (ROPC) OAuth flow, a legacy mechanism that allows applications to handle user passwords directly. Although ROPC has long been discouraged and is formally deprecated, it remains enabled in some tenants and applications. In those environments, the attackers were able to bypass some of the protections organizations assume they get from more modern, interactive login methods.

For the organizations affected, the stakes go beyond the raw number of accounts. Azure CLI access can grant a foothold into cloud subscriptions that manage infrastructure, virtual machines, storage accounts, and in some cases, production workloads. A single compromised account with elevated permissions can become a launchpad for deploying malicious code, exfiltrating data, or tampering with configurations in ways that are hard to detect quickly.

The campaign also exposed a painful reality for defenders: multi‑factor authentication is necessary but not sufficient when older auth flows are still in play. Researchers noted that in many cases, MFA was nominally enabled, but Azure CLI sign‑ins using ROPC were not subject to the same interactive challenges users expect in a browser login. That gap allowed attackers to turn a list of historic passwords into real‑time access without needing to trick users into approving prompts.

At the same time, security analysis of a related threat known as “ClickFix” underscored how attackers are innovating in delivery as well as authentication abuse. A researcher who examined roughly 3,000 live ClickFix payloads found that instead of shipping static malware, operators were now using API‑driven servers to generate fresh, obfuscated commands on demand. A newer technique that drops code into a user’s Downloads folder rather than the clipboard appears designed to slip past Microsoft’s Antimalware Scan Interface (AMSI) and some traditional detection rules.

For IT teams, these developments translate into very practical risks. Helpdesk staff, developers, and administrators who routinely use Azure CLI or interact with scripts are prime targets: they often have powerful roles in cloud tenants and may be accustomed to clicking through what look like routine prompts or running familiar‑looking commands. Once an attacker lands in that environment, lateral movement within cloud resources may be faster and quieter than in on‑premise networks.

Strategically, the incident is another reminder that cloud security is only as strong as the weakest legacy path into it. Enterprises that have modernized their front‑end login experiences but left older OAuth flows, service principals, or unmanaged scripts untouched are effectively leaving a side door open, even as they harden the front gate. The use of old breached passwords shows that attackers are willing to invest in scale rather than sophistication when the architecture permits it.

The key takeaway is that in a cloud world, “deprecated” does not mean “harmlessly dead”—it means “still exploitable until someone takes it away.” Security teams will now be looking closely at tenant logs for unusual Azure CLI activity, disabling ROPC where it is still enabled, tightening conditional access policies, and reevaluating how they detect script‑based threats like ClickFix before they translate millions of login attempts into one devastating compromise.

Sources