Find notable cyber news and cases, enriched with sources, timelines, and signals.

Microsoft Azure CLI password-spray campaign using ROPC

Campaign
First reported
Last updated
Happening score
H score 24
1 unique sources, 1 articles

Summary

Hide ▲

A massive automated password-spray campaign against Microsoft Azure CLI compromised at least 78 accounts across 64 organizations, expanding access risk across cloud tenants. The operation ran from June 12 to June 26, 2026 and used more than 81 million login attempts to harvest valid credentials. Attackers used the deprecated ROPC flow to bypass some Conditional Access Policy protections, showing how legacy OAuth paths can weaken MFA-enforced environments.

Related Happenings

CISA warning on FortiBleed for FortiGate customers

Public Sector Action
H score89 First: 19.06.2026 17:00 Last: 19.06.2026 17:00 Sources 1

About this happening: **CISA** warned **Fortinet** customers with **FortiGate appliances** to secure exposed systems against ongoing malicious activity tied to **FortiBleed**. The activity had reached...

Kali365 Microsoft 365 device-code phishing campaign

Campaign
H score46 First: 25.05.2026 15:45 Last: 25.05.2026 15:45 Sources 1

About this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...

Storm-2949 Microsoft 365 and Azure data-theft campaign

Campaign
H score33 First: 19.05.2026 22:35 Last: 19.05.2026 22:35 Sources 1

About this happening: The **Storm-2949** campaign is targeting **Microsoft 365 and Azure production environments** to steal sensitive data, increasing the risk of privileged-account takeover and cloud...

EvilTokens Microsoft 365 consent phishing campaign

Campaign
H score39 First: 19.05.2026 14:30 Last: 19.05.2026 14:30 Sources 1

About this happening: The **EvilTokens** campaign rapidly compromised **more than 340 Microsoft 365 organizations** across **five countries**, showing how **OAuth grant abuse** can bypass **MFA** and c...

W3LL Microsoft 365 adversary-in-the-middle phishing campaign

Campaign
H score39 First: 13.04.2026 21:55 Last: 13.04.2026 21:55 Sources 1

About this happening: The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...

Timeline

  1. 01.07.2026 08:46 1 articles · 2h ago

    Microsoft Azure CLI spray campaign compromises 12 accounts

    Victim Impact Update

    The Microsoft Azure CLI credential and token spray campaign compromised 12 user accounts on June 19, 2026, marking the largest single-day spike in the June 12 to June 21 period when most days saw only two to four accounts affected.

    Show sources
  2. 01.07.2026 08:46 1 articles · 2h ago

    Microsoft Azure CLI spray campaign hits 30 identities across 23 businesses

    Victim Impact Update

    On June 22, 2026, the Microsoft Azure CLI credential and token spray campaign expanded sharply, with 30 identities across 23 businesses impacted after a steadier daily cadence earlier in the month.

    Show sources
  3. 01.07.2026 08:46 2 articles · 2h ago

    Huntress warns of Azure CLI password spray using ROPC to bypass Conditional Access Policy

    Initial Disclosure

    Huntress warned of a massive automated password-spray campaign against Microsoft Azure CLI that used the deprecated Resource Owner Password Credentials (ROPC) flow to bypass some Conditional Access Policy protections, with more than 81 million login attempts between June 12 and June 26, 2026 and at least 78 Microsoft accounts across 64 organizations compromised; the activity originated from 2a0a:d683::/32 controlled by LSHIY LLC.

    Show sources