A sprawling, automated password spray operation has compromised at least 78 Microsoft accounts by hammering the Azure command-line interface (CLI), a primary tool for cloud developers and administrators. The campaign, analyzed by Huntress, exposed a critical oversight in cloud security: the protection gap between interactive user logins and non-interactive authentication channels.
Over two weeks in June, the attackers launched more than 81 million authentication attempts directed at Azure CLI endpoints. According to the researchers, the operation leveraged the Resource Owner Password Credentials (ROPC) authentication flow—a legacy protocol that transmits usernames and passwords directly—to bypass weak or poorly configured Conditional Access Policies (CAPs) that many organizations rely on to protect non-interactive sign-ins.
Researchers reportedly traced the attackers' activity to an IPv6 address range linked to internet infrastructure provider LSHIY LLC (AS32167). The campaign's success, hitting dozens of accounts in an environment where many organizations enforce stricter protections for standard web logins, underscores a dangerous misconfiguration in how authentication policies are designed.
While multi-factor authentication (MFA) and strict monitoring are commonly applied to human sign-ins through web portals, the automated pathways used by scripts, CI/CD pipelines, and service principals are frequently left less defended. The ROPC flow exploited this gap directly, allowing the attacker to authenticate via API and CLI endpoints without triggering the MFA challenges or lockout mechanisms designed for human behavior patterns.
Compromising accounts through this method is particularly dangerous, as CLI and service principal credentials often hold privileged, persistent access to cloud infrastructure—making them higher-value targets than individual user accounts.
The incident highlights an urgent need for a revised security posture. Organizations must extend MFA enforcement to all authentication methods, including those used for automation, and disable legacy flows like ROPC where not operationally required. A rigorous audit of service principal permissions, adherence to the principle of least privilege, and proactive monitoring of authentication logs for anomalous patterns are now essential. Routine rotation of high-privilege credentials further reduces risk.
As cloud-native development becomes standard, securing the programmatic access layer is no longer optional. This attack demonstrates that the command line itself has become a frontline in cloud defense.
一場大規模自動化密碼噴濺攻擊透過轟炸Azure命令列介面(CLI,雲端開發者和管理員的主要工具),已入侵至少78個Microsoft帳戶。Huntress分析此次行動時,揭露了雲端安全的關鍵疏漏:互動式用戶登入與非互動式驗證通道之間的保護缺口。
在六月的兩週內,攻擊者向Azure CLI端點發動超過8100萬次驗證嘗試。研究人員指出,此行動利用資源擁有者密碼憑證(ROPC)驗證流程——一種直接傳輸用戶名稱和密碼的舊式協議——來繞過許多組織依賴保護非互動式登入的薄弱或配置不當的條件存取策略(CAPs)。
研究人員據報已將攻擊者活動追溯至與互聯網基礎設施供應商LSHIY LLC(AS32167)相關的一個IPv6地址範圍。此行動成功入侵數十個帳戶,而相關環境中許多組織對標準網頁登入實施更嚴格保護,這突顯了驗證策略設計中的一項危險配置錯誤。
雖然多重因素驗證(MFA)和嚴格監控通常應用於用戶透過網頁介面的人工登入,但腳本、CI/CD管線和服務主體使用的自動化通道往往防守較弱。ROPC流程直接利用此缺口,讓攻擊者能透過API和CLI端點進行驗證,而不觸發針對人類行為模式設計的MFA挑戰或鎖定機制。
透過此方法入侵帳戶尤其危險,因為CLI和服務主體憑證通常持有對雲端基礎設施的權限化持久訪問權——使其成為比個別用戶帳戶價值更高的攻擊目標。
此事件突顯修訂安全態勢的迫切需要。組織必須將MFA強制執行擴展至所有驗證方法,包括用於自動化的途徑,並在業務上不需要時停用ROPC等舊式流程。現時必須嚴格審計服務主體權限、恪守最小權限原則,並主動監控驗證日誌中的異常模式。定期輪換高權限憑證亦能進一步降低風險。
隨著雲端原生開發成為常態,確保程式化訪問層級的安全已不再是可選項。此次攻擊證明命令列本身已成為雲端防禦的最前線。
