A massive, ongoing series of automated password spray attacks were observed targeting Microsoft Azure’s command line interface (CLI), according to researchers at Huntress.Huntress reported in a June 30 blog post that between June 12 and June 26, its team saw undetermined threat actors compromise 78 user accounts across 64 organizations.Over this 14-day window, the researchers said they saw over 81 million login attempts, the majority of which originated from AS32167, an autonomous system that’s linked back to internet infrastructure provider LSHIY, LLC.Security pros were concerned because in its ongoing research Huntress observed a 155-fold increase in credential spray volume over the past six months, and security teams have to take note.“Attackers aren't finding new ways in,” said Shane Barney, chief information security officer at Keeper Security. “They're systematically working through every authentication pathway organizations forgot to account for, testing previously breached credentials until something gives. Most security leaders have seen this dynamic before. The problem isn’t multi-factor authentication (MFA), it’s that policies get written once, scoped to the most visible applications and never revisited, while the authentication environment around them keeps growing.”Barney explained that the resource owner password credentials (ROPC) flow exploited in this campaign is a legacy protocol that routes credentials directly to the token endpoint, entirely bypassing the interactive authentication layer where most MFA policies are enforced.“The organizations caught up in this campaign weren't without security controls,” said Barney. “They were operating under the assumption that their MFA coverage was complete when it wasn't. Closing those gaps requires treating MFA as a living control rather than a compliance checkbox. Coverage must extend to all users, all cloud applications and all client authentication types, with legacy flows like ROPC restricted for non-administrative users entirely.”Roy Katmor, co-founder and CEO of Orchid Security, added that MFA being enabled and MFA actually firing are two different things — and attackers have figured out how to land in the gap between them.“Authentication tells you someone got in, but it tells you nothing about what they do next,” said Katmor. "Defenders spend enormous effort proving an identity is who it claims to be at login, and almost none watching how it behaves afterward. That's the half of the problem attackers are now living in."Here are four tips from Katmor on how teams can mitigate these type of identity-based credential attacks:
- Close the auth-flow gaps: Enforce MFA for all users, all cloud apps, and all relevant client app types, not just admin portals or specific groups.
- Restrict Azure CLI and similar clients: Most users do not need Azure CLI access.
- Treat password hygiene as live exposure: Rotate credentials known to appear in breaches, block common and compromised passwords and eliminate password reuse.
- Move from identity and access management control to application-layer identity visibility: These attacks succeed because identity controls are assumed to apply everywhere, but in reality they often apply unevenly across flows, apps, clients, local accounts, service accounts, and delegated access paths. Teams need to know which identities exist, where they authenticate, what apps they can reach, which flows bypass expected controls, and whether each application can produce a defensible audit trail.





