https://www.huntress.com/blog/lshiy-password-spray-attack
Security firm Huntress has documented a massive, ongoing, automated password spray attack targeting Microsoft’s Azure command-line interface that made more than 81 million login attempts against customer accounts between 12 and 26 June, successfully compromising at least 78 Microsoft accounts across 64 organisations before the attacks ceased following intervention by the internet infrastructure provider whose IP address range was being used to conduct them. The attack originated from an IPv6 address range controlled by internet infrastructure provider LSHIY LLC, operating under autonomous system number AS32167, and was characterised by a steady escalation in both volume and effectiveness over the tracking period, with a significant spike occurring on 22 June when 30 user accounts across 23 businesses were compromised in a single day after a fortnight of relatively modest daily compromise rates averaging between two and four accounts. After Huntress contacted LSHIY and reported the malicious behaviour, a company representative confirmed that the responsible user had seriously violated their terms of service and had been suspended, identifying them as a bring-your-own-IP customer, and Huntress subsequently confirmed that attacks from the IP range had terminated.
The technical approach employed by the threat actors reveals an understanding of the gaps that exist between how organisations believe their multi-factor authentication protects them and how it actually functions in practice. Attackers were replaying previously breached username and password combinations, targeting credentials that had appeared in compromised password lists but had never been rotated by their owners, and validating these credentials through the OAuth Resource Owner Password Credentials flow, known as ROPC, an authentication mechanism that has been deprecated in OAuth 2.1 precisely because it does not support modern authentication flows including multi-factor authentication and single sign-on. Because ROPC transmits credentials directly to the token endpoint without triggering an interactive MFA prompt, attackers were able to successfully authenticate against accounts belonging to organisations that had implemented and believed themselves to be protected by MFA enforced through Conditional Access Policies, exploiting the gap between having MFA in place and having it configured to cover every possible authentication pathway an attacker might use.
The analysis of the 22 June spike, which impacted 23 businesses, found that 15 of those organisations had MFA implemented and enforced through Conditional Access Policies, yet the protection failed to fire for a variety of configuration reasons that are likely to be widespread across many Microsoft 365 environments. Some organisations had configured MFA to apply only to specific applications such as Microsoft Admin Portals rather than all cloud applications, leaving Azure CLI logins outside the scope of protection. Others had scoped MFA enforcement to specific user groups such as administrators only, meaning ordinary user accounts that fell outside those groups remained unprotected. Several businesses had configured MFA to apply only from non-trusted locations, a protection that the attackers evaded because geolocation inconsistencies across third-party tools caused some of their IP addresses, which resolved to China under one tool, to be geolocated to Nebraska under another, causing them to appear as trusted domestic connections. In two cases MFA had been deployed in report-only mode, meaning it was technically present but had never actually been enforced. Huntress has noted that in the past six months the volume of credential spray attacks across its customer base has increased by more than 155 times, with a current mean of approximately 1,964 failed attack attempts per month per protected tenant, and has urged organisations to audit their Conditional Access Policies to ensure MFA coverage explicitly encompasses all cloud applications and all authentication flows including legacy protocols such as ROPC rather than assuming that having MFA enabled is equivalent to being comprehensively protected by it.