An aggressive password-spraying campaign targeting Microsoft 365 environments generated more than 81 million login attempts over a two-week period.

The threat actor tried to authenticate via Microsoft's Azure command-line interface (CLI) using still valid username and password combinations that had been exposed in past breaches.

Microsoft's Azure CLI is used for managing Azure cloud resources, enabling administrators to manage virtual machines, deploy applications, manage databases, and automate cloud operations.

Once a valid pair was found, the hacker authenticated via the ROPC (Resource Owner Password Credentials) OAuth mechanism, bypassing multi-factor authentication (MFA) in many environments due to insecure Conditional Access policies.

Managed cybersecurity company Huntress observed the campaign targeting its customers between June 12 and 26 and confirmed that the threat actor compromised 78 Microsoft accounts across 64 organizations.