Legacy Authentication Exploited in Massive Azure CLI Password Spray

Article Content
The cybersecurity landscape is witnessing an unprecedented volume of highly automated, identity-centric attacks. Between June 12 and June 26, 2026, the threat intelligence team at security firm Huntress uncovered a massive, coordinated campaign targeting Microsoft 365 environments. In a span of just two weeks, attackers launched more than 81 million credential-stuffing and password-spraying attempts against Microsoft 365 via the Azure Command-Line Interface (CLI). Despite the brute-force nature of the assault, the operation was highly calculated, successfully compromising at least 78 Microsoft accounts across 64 distinct partner organizations. The core vulnerability exploited in this campaign lies in the persistent survival of legacy authentication protocols within modern enterprise environments. While IT administrators frequently assume their tenants are fully hardened behind modern multi-factor authentication (MFA), the threat actors proved that legacy pathways remain a highly viable backdoor for automated compromise.
Inside the 81-Million Attempt LSHIY Password Spray Campaign
The campaign, which saw an intense spike around June 22, 2026, when 23 organizations were compromised in a single day, was not targeting specific industries or sectors. Instead, the attackers’ methodology was purely opportunistic. They utilized historical dark-web password leaks—commonly known as “combo lists”—to feed their automated spraying scripts. This strategy demonstrates that password reuse across personal and professional applications remains one of the single greatest structural hazards to corporate identity security, as credentials compromised years prior on external sites are systematically tested against enterprise cloud boundaries.
According to telemetry analyzed by Huntress, the vast majority of these login attempts originated from an IPv6 address range (2a0a:d683::/32) controlled by the internet hosting provider LSHIY LLC (operating under AS32167). This autonomous system has been increasingly associated with adversary-controlled relays and Adversary-in-the-Middle (AiTM) infrastructure. Upon closer investigation, specific IPv6 routing endpoints within this block were registered as recently as June 11, 2026, just a day before the massive campaign commenced. This rapid deployment of infrastructure highlights the speed with which modern threat actors can spin up clean, un-blacklisted hosting blocks to execute widespread attacks.
The scale of this attack is not an isolated anomaly. Huntress reported that over the past six months, the volume of credential-spraying attempts across its global monitored customer base has surged by an astonishing 155 times. Adding to the detection complexity, geolocation telemetry of the attacking IPs returned highly inconsistent results: some third-party databases geolocated the malicious infrastructure to Nebraska, while others mapped the very same IPs to mainland China. This geographical discrepancy points to sophisticated routing techniques designed to exploit discrepancies in threat-hunting telemetry, allowing malicious connections to masquerade as standard domestic traffic or bypass location-based blocking tools.
The Mechanics of ROPC: How Threat Actors Leverage Legacy Authentication
The defining technical characteristic of the LSHIY campaign was the attackers’ deliberate reliance on the Resource Owner Password Credentials (ROPC) OAuth 2.0 grant flow. To understand why this is a critical security bypass, it is necessary to examine how modern web authentication differs from legacy authentication frameworks.
In standard modern OAuth 2.0 and OpenID Connect flows (such as the Authorization Code flow), the client application never handles or sees the user’s password. Instead, the application redirects the user’s browser to a secure Microsoft Entra ID sign-in page. The user authenticates interactively—entering their password, solving MFA challenges, and verifying their identity—before the identity provider redirects the browser back to the application with an authorization code, which is then exchanged for an access token. This keeps the credentials isolated and allows the identity provider to enforce interactive security controls dynamically.
The ROPC flow, however, completely subverts this architecture. Originally designed to assist legacy applications that could not support an interactive browser interface, ROPC allows an application to collect the user’s username and password directly within its own interface. The application then packages these credentials into a direct POST request and sends them straight to the identity provider’s token endpoint (/token). If the credentials are correct, the token endpoint immediately mints a user-delegated token. Because this transaction occurs entirely over a non-interactive back-channel, there is no web browser redirection to prompt the user for MFA or single sign-on (SSO) challenges.
While ROPC is formally built on the OAuth 2.0 framework, Microsoft and security bodies classify its non-interactive credential-submission mechanism as a type of legacy authentication. It has been officially deprecated in OAuth 2.1 due to its inherent security weaknesses. Despite this deprecation, the ROPC flow remains enabled in many Entra ID tenants to prevent service disruptions for legacy administrative scripts or third-party integrations, presenting a massive, often unmonitored security gap that bypasses modern identity protections.
The Anatomy of an MFA Gap: Why Conditional Access Policies Failed
The most alarming finding from Huntress’s post-incident analysis was that many of the compromised organizations actually had MFA policies enabled. Security teams believed their tenants were fully protected. However, the attackers succeeded because of critical gaps and structural oversights within their Conditional Access Policies (CAPs). Specifically, these policies failed to account for non-interactive legacy authentication paths like ROPC when interacting with the Azure CLI (which uses the default client ID 04b07795-8ddb-461a-bbee-02f9e1bf7b46).
The analysis of the compromised environments revealed several common administrative misconfigurations that left the backdoor wide open:
- Absence of Universal MFA Policies: Eight of the compromised businesses lacked any active MFA policy whatsoever, making them effortless targets for the automated spray.
- Incomplete Application Coverage: Many organizations configured their CAPs to require MFA only for specific web applications (such as Outlook Web App or SharePoint) rather than targeting “All Cloud Apps”. This allowed the Azure CLI to process ROPC logins silently without triggering MFA.
- Scope and Group Exemptions: To avoid administrative friction, some organizations exempted specific user groups or administrator roles from MFA requirements, unwittingly providing highly privileged entry points for the attackers.
- MFA Required Only for Untrusted Locations: Several tenants configured CAPs to bypass MFA when sign-ins originated from “trusted IP ranges” or corporate offices. By leveraging residential proxy networks and localized hosting provider nodes, attackers effectively bypassed these location-based rules.
- Unenforced Policies: In multiple instances, CAPs were drafted and saved in a “Report-Only” state or were partially implemented but never fully transitioned to an “On” state, leaving active defenses completely disabled.
When the LSHIY attackers targeted these environments with validated credentials through the Azure CLI via ROPC, Entra ID validated the username and password. Because the CAPs did not explicitly cover non-browser applications or enforce MFA universally across all authentication protocols, the backend returned a fully authorized access token. The attacker was then able to log in without ever triggering a single push notification or SMS challenge to the legitimate user’s device.
Strategic Defenses: Deactivating Legacy Authentication and Enforcing Phishing-Resistant MFA
The lessons of the LSHIY campaign are clear: merely “enabling” MFA is an incomplete defense. True enterprise hardening requires a proactive, exhaustive elimination of legacy authentication pathways and a transition toward modern, resilient identity architectures. To protect Microsoft 365 environments from ROPC-based password sprays, organizations should implement the following multi-layered mitigations:
- Completely Block Legacy Authentication and ROPC: Administrators must deploy strict Conditional Access Policies that explicitly target and block “Legacy Authentication clients”. Under the “Conditions” section of a CAP, the “Client apps” setting must be configured to include “Legacy authentication clients” (both Exchange ActiveSync and Other clients). This blocks the ROPC flow at the gateway, preventing the token endpoint from accepting non-interactive credential submissions.
- Restrict Azure CLI Access: The Azure CLI is an incredibly powerful administrative tool that standard business users have no legitimate reason to access.
Written by
TempMail Ninja
Digital privacy and online security expert. Passionate about creating tools that protect users' identity on the internet.


