
81 Million Azure Login Attempts and 78 Breached Accounts Expose MFA Weak Spot in Microsoft Cloud
A password-spraying campaign against Microsoft’s Azure CLI logged more than 81 million login attempts and compromised at least 78 accounts, exploiting old passwords and a deprecated OAuth flow that blunted multi-factor authentication. The incident, spanning June 12–26, shows how legacy design choices in widely used cloud tools can turn into systemic exposure for governments, companies, and critical infrastructure.
A massive password‑spraying campaign against Microsoft’s Azure ecosystem has exposed a weak point in how multi‑factor authentication protects cloud logins, with more than 81 million attempts recorded and at least 78 accounts compromised. For enterprises and public bodies that rely on Azure for everything from email to critical infrastructure, the episode is a warning that legacy authentication paths can quietly undercut modern defenses.
Security researchers tracking the activity say the attackers focused on Azure CLI sign‑ins between 12 and 26 June, using old breached passwords and exploiting a deprecated OAuth mechanism known as the Resource Owner Password Credentials (ROPC) flow. That flow, still available in some configurations, allowed sign‑ins in ways that did not consistently enforce multi‑factor authentication even when organizations thought MFA was turned on for their users.
In practical terms, the attackers did not need to steal one‑time codes or bypass hardware keys in real time. Instead, they leaned on a design decision from an earlier era of cloud identity, where applications could be granted the ability to pass a user’s password directly in exchange for a token. When combined with large troves of leaked credentials and automated scripts, this created a path into accounts that were supposed to be hardened.
The breadth of the campaign—tens of millions of login attempts—suggests an industrial‑scale operation rather than a targeted, manual intrusion. That scale matters because Azure tenants include a mix of private companies, government agencies, universities, and service providers, many of which are tightly interconnected. A successful compromise in even a small number of accounts can offer footholds into email systems, source code repositories, or administrative consoles that control wider networks.
For ordinary employees and administrators, the story cuts against an assumption many have internalized: that turning on MFA is a silver bullet. The Azure incident shows that multi‑factor is only as strong as the enforcement pathways underneath it. If an older protocol or client application can still authenticate without fully honoring MFA policies, attackers will find and abuse it, no matter how complex a user’s password or how diligent their security training.
From a strategic standpoint, large‑scale password‑spraying against cloud platforms is attractive to both criminal and state‑linked actors. Rather than probing thousands of on‑premise servers, attackers can concentrate effort on a handful of identity providers that sit in front of entire corporate fleets. Any systemic weakness in those providers—such as lingering support for outdated flows—has the potential to become a supply‑side vulnerability for whole sectors at once.
The episode also lands as organizations grapple with a wave of increasingly sophisticated malware delivery techniques, including so‑called ClickFix campaigns that use fake CAPTCHAs and dynamic payloads to slip past security tools. Together, these trends point to a simple but uncomfortable reality: much of the risk now lies not in spectacular zero‑day exploits, but in the long tail of configuration gaps, deprecated features, and user‑interface tricks that security teams struggle to fully inventory and lock down.
One takeaway is easy to remember even if hard to implement: cloud security is less about setting a policy than about closing every back door that policy leaves ajar. Ensuring that legacy authentication methods are disabled, monitoring for anomalous login volumes, and pressuring platform providers to retire risky flows are becoming as important as rolling out MFA in the first place.
The next questions to watch are whether Microsoft moves to force‑disable the ROPC flow more aggressively, how many of the 78 confirmed account breaches led to deeper compromise, and whether regulators or major customers push for clearer audits of which authentication paths remain available in large cloud environments.
Sources
- OSINT