Skip to content

Azure CLI: 78 Microsoft Accounts Compromised via ROPC Vulnerability

Bottom line: Attackers bypassed multi-factor authentication through the non-MFA-compatible ROPC protocol because many organizations had incompletely configured their Conditional Access Policies.

Security researchers from Huntress documented a massive password spray attack on Azure CLI in which attackers used the legacy ROPC authentication method to compromise 78 Microsoft accounts across 64 organizations.

Between 12 June and 26 June, an attacker conducted over 81 million login attempts against Azure CLI through infrastructure of LSHIY LLC. Targets were sourced from lists of already-compromised credentials, without targeting specific industries or business types. A minimum of 78 accounts across 64 organizations were successfully compromised.

The attack exploited the Resource Owner Password Credentials (ROPC) method, a legacy OAuth authentication protocol that passes username and password directly to client applications. This method is classified as deprecated in the forthcoming OAuth 2.1 specification and is not natively compatible with multi-factor authentication (MFA). Microsoft itself advises against its use and recommends more secure alternatives, as the method requires a high level of trust in the application.

The compromise succeeded despite MFA implementation because the Conditional Access Policies of affected organizations contained gaps: MFA was often enabled only for administrative groups, restricted to selected cloud apps rather than all applications, or applied exclusively to access from outside trusted locations. Eight of the 78 affected organizations operated no MFA policies at all.

Huntress emphasizes that this does not represent a fundamental failure of MFA as a technology, but rather a configuration problem. Organizations must explicitly calibrate their MFA policies to block or at least monitor legacy authentication flows such as ROPC. The attack volume increased significantly in June: during the first ten days, an average of two to four accounts per day were compromised; on 22 June, the number rose to 30 compromised identities.


Source: www.it-daily.net · Published 2 July 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.2.

Share on: