Hackers spray passwords at Azure accounts using a legacy login method, and the doors are still open


Millions of login attempts are compromising dozens of Microsoft accounts across 64 organizations, with attacks rising sharply in recent weeks. The massive password-spraying attack opens doors by exploiting a legacy authentication method without multi-factor authentication (MFA).

Key takeaways:

Huntress, a cybersecurity company, is tracking a “massive, ongoing, automated” password spray attack targeting the Microsoft Azure command-line interface.

ADVERTISEMENT

The researchers have already recorded 81 million login attempts over the two weeks, targeting its customers' accounts, and warn that the intensity is increasing. The password spraying mayhem compromised at least 78 Microsoft accounts across 64 organizations.

The firm sees the volume of credential spray attacks increasing sharply – 155 times – over the past six months.

“The targeting of these attacks seems to be based entirely on password prevalence on compromised password combo lists, and is not specific to business type or industry,” the report reads.

Attackers are even breaking into accounts with MFA enabled but misconfigured – many organizations thought they were protected.

Check if your data has been leaked

Find out if your email, phone number or related personal information might have fallen into the wrong hands.
18,611,353,922
Breached accounts
36,030
Breached websites

Hackers are abusing a deprecated authentication method, OAuth ROPC (Resource Owner Password Credentials), which was designed for highly trusted apps or systems.

ROPC only requires a username and a password, and attackers can authenticate without ever triggering MFA if organizations haven’t configured their environments to block or otherwise protect this authentication flow.

ADVERTISEMENT

“Many of the compromised businesses had implemented multi-factor authentication (MFA) via a Conditional Access Policy (CAP), but the MFA was not configured to cover this specific flow that attackers used,” Huntress warns.

Most of the malicious requests come from a single autonomous system, AS32167, linked to the internet infrastructure provider LSHIY LLC in Hong Kong. Attackers use the IPv6 address range of 2a0a:d683::/32. Third-party IP geolocation was inconsistent, with some IPs resolving to the US and others to China, complicating detection.

MFA with holes

Huntress analyzed 23 impacted organizations and found that only 8 had no MFA policy at all, while 15 had MFA implemented and enforced via Conditional Access Policy (CAP), which is a security policy in Microsoft Entra ID that determines when users meet authentication requirements.

“The MFA did not fire for various reasons during this campaign,” the researchers said.

In five cases, MFA was enabled only for specific groups, such as Admins, and compromised users were outside those groups.

In 4 cases, MFA was enforced only for specific applications, such as Microsoft Admin Portals, VPN, or others, rather than “All Cloud Apps.” This left Azure CLI logins uncovered.

Four organizations enforced MFA for all users but only required it for non-trusted locations outside the US, and mislabeled IPs helped attackers bypass this requirement.

Two organizations implemented MFA in report-only mode, never enforcing it.

ADVERTISEMENT

“Organizations should ensure that their MFA policies are properly configured to address the authorization flow used across these incidents,” the Huntress researchers say. “This attack reveals cracks in CAPs that haven't been appropriately configured.”

They warn that the ROPC protocol can bypass poorly configured policies entirely. Businesses should instead require MFA for all users, all apps, and all client app types, unconditionally, and restrict the Azure CLI application.


Unlock more exclusive Cybernews content on YouTube.