Identity

Massive password spray attack targets Azure CLI, bypasses MFA

Microsoft Azure company logo on a website with blurry stock market developments in the background, seen on a computer screen through a magnifying glass.

Coverage from The Hacker News indicates a large-scale, automated password spray attack is targeting Microsoft's Azure command-line interface (CLI), successfully compromising dozens of accounts. Huntress reports that the activity, originating from an IPv6 address range controlled by LSHIY LLC, has been ongoing since at least June 12.

The attack, which leveraged a deprecated OAuth flow called Resource Owner Password Credentials (ROPC), made over 81 million login attempts between June 12 and June 26, compromising at least 78 Microsoft accounts across 64 organizations. Despite many targeted organizations having Conditional Access policies enabled, the ROPC flow allowed attackers to bypass these protections. ROPC is a legacy OAuth 2.0 grant type where users directly provide credentials to an application, a method Microsoft advises against due to its incompatibility with multi-factor authentication (MFA). The attackers exploited compromised password lists, targeting accounts indiscriminately across industries.

While some organizations had MFA configured, it was not enforced for all cloud apps or client types, allowing the ROPC flow to succeed. Eight impacted businesses reportedly had no MFA policy at all. The attack highlights weaknesses in improperly configured Conditional Access policies, particularly how legacy protocols can circumvent security measures if not properly addressed.

Source: The Hacker News

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds