
Massive Password Spray Attack on Microsoft Azure CLI Compromises 78 Accounts Across 64 Organizations
Between June 12 and June 26, 2016, an automated password spray attack targeted Microsoft's Azure CLI, compromising 78 accounts across 64 organizations after over 81 million login attempts. The attack leveraged deprecated OAuth 2.0 ROPC (Resource Owner Password Credentials) flows to bypass conditional access policies, even in environments with MFA enabled but not enforced. Most activity originated from IP addresses linked to Lishi LLC, resolving to the U.S. and China, while attackers reused previously breached but unrotated username-password combinations. Eight impacted organizations had no MFA policy at all, while others failed to enforce it for Azure CLI ROPC logins, exposing gaps in conditional access configurations. The campaign indiscriminately targeted accounts based on password prevalence rather than industry or business type, emphasizing the risks of weak or reused credentials. Microsoft’s documentation explicitly warns against ROPC flows due to incompatibility with MFA, reinforcing the need for properly configured and enforced authentication policies.