Microsoft Azure CLI password-spray campaign using ROPC
Campaign
Summary
Hide ▲
Show ▼
A massive automated password-spray campaign against Microsoft Azure CLI compromised at least 78 accounts across 64 organizations, expanding access risk across cloud tenants. The operation ran from June 12 to June 26, 2026 and used more than 81 million login attempts to harvest valid credentials. Attackers used the deprecated ROPC flow to bypass some Conditional Access Policy protections, showing how legacy OAuth paths can weaken MFA-enforced environments.
Related Happenings
CISA warning on FortiBleed for FortiGate customers
Public Sector Action
H score89
First: 19.06.2026 17:00
Last: 19.06.2026 17:00
Sources 1
About this happening:
**CISA** warned **Fortinet** customers with **FortiGate appliances** to secure exposed systems against ongoing malicious activity tied to **FortiBleed**. The activity had reached...
CISA warning on FortiBleed for FortiGate customers
Public Sector ActionAbout this happening: **CISA** warned **Fortinet** customers with **FortiGate appliances** to secure exposed systems against ongoing malicious activity tied to **FortiBleed**. The activity had reached...
Kali365 Microsoft 365 device-code phishing campaign
Campaign
H score46
First: 25.05.2026 15:45
Last: 25.05.2026 15:45
Sources 1
About this happening:
A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
Kali365 Microsoft 365 device-code phishing campaign
CampaignAbout this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
Storm-2949 Microsoft 365 and Azure data-theft campaign
Campaign
H score33
First: 19.05.2026 22:35
Last: 19.05.2026 22:35
Sources 1
About this happening:
The **Storm-2949** campaign is targeting **Microsoft 365 and Azure production environments** to steal sensitive data, increasing the risk of privileged-account takeover and cloud...
Storm-2949 Microsoft 365 and Azure data-theft campaign
CampaignAbout this happening: The **Storm-2949** campaign is targeting **Microsoft 365 and Azure production environments** to steal sensitive data, increasing the risk of privileged-account takeover and cloud...
EvilTokens Microsoft 365 consent phishing campaign
Campaign
H score39
First: 19.05.2026 14:30
Last: 19.05.2026 14:30
Sources 1
About this happening:
The **EvilTokens** campaign rapidly compromised **more than 340 Microsoft 365 organizations** across **five countries**, showing how **OAuth grant abuse** can bypass **MFA** and c...
EvilTokens Microsoft 365 consent phishing campaign
CampaignAbout this happening: The **EvilTokens** campaign rapidly compromised **more than 340 Microsoft 365 organizations** across **five countries**, showing how **OAuth grant abuse** can bypass **MFA** and c...
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
Campaign
H score39
First: 13.04.2026 21:55
Last: 13.04.2026 21:55
Sources 1
About this happening:
The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
CampaignAbout this happening: The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
Timeline
-
01.07.2026 08:46 1 articles · 2h ago
Microsoft Azure CLI spray campaign compromises 12 accounts
Victim Impact UpdateThe Microsoft Azure CLI credential and token spray campaign compromised 12 user accounts on June 19, 2026, marking the largest single-day spike in the June 12 to June 21 period when most days saw only two to four accounts affected.
Show sources
- Azure CLI Password Spray Hits at Least 78 Microsoft Accounts in 81M+ Attempts — thehackernews.com — 01.07.2026 08:46
-
01.07.2026 08:46 1 articles · 2h ago
Microsoft Azure CLI spray campaign hits 30 identities across 23 businesses
Victim Impact UpdateOn June 22, 2026, the Microsoft Azure CLI credential and token spray campaign expanded sharply, with 30 identities across 23 businesses impacted after a steadier daily cadence earlier in the month.
Show sources
- Azure CLI Password Spray Hits at Least 78 Microsoft Accounts in 81M+ Attempts — thehackernews.com — 01.07.2026 08:46
-
01.07.2026 08:46 2 articles · 2h ago
Huntress warns of Azure CLI password spray using ROPC to bypass Conditional Access Policy
Initial DisclosureHuntress warned of a massive automated password-spray campaign against Microsoft Azure CLI that used the deprecated Resource Owner Password Credentials (ROPC) flow to bypass some Conditional Access Policy protections, with more than 81 million login attempts between June 12 and June 26, 2026 and at least 78 Microsoft accounts across 64 organizations compromised; the activity originated from 2a0a:d683::/32 controlled by LSHIY LLC.
Show sources
- Azure CLI Password Spray Hits at Least 78 Microsoft Accounts in 81M+ Attempts — thehackernews.com — 01.07.2026 08:46
- Azure CLI Password Spray Hits at Least 78 Microsoft Accounts in 81M+ Attempts — thehackernews.com — 01.07.2026 08:46