What Happened
Between June 12 and June 26, a threat actor operating from infrastructure registered to LSHIY LLC made more than 81 million authentication attempts against Microsoft 365 tenants, according to research from Huntress. The campaign compromised at least 78 accounts across 64 organizations, targeting accounts based on password prevalence in previously breached credential lists rather than industry or company size.
The attackers authenticated through Azure CLI using Resource Owner Password Credentials, a legacy OAuth flow Microsoft has deprecated in favor of stronger sign-in methods. ROPC sends a username and password directly to Microsoft’s identity platform, sidestepping browser-based sign-in and, in many tenant configurations, the Conditional Access policies administrators built to stop this exact kind of attack. Huntress reports password-spray attempts across monitored tenants increased more than 150-fold, with organizations now averaging nearly 2,000 failed logins per tenant each month. Common gaps included Conditional Access policies scoped to specific cloud apps instead of all cloud apps, MFA limited to administrator accounts, and policies left in report-only mode.
Why This Matters for Canadian Organizations
Microsoft 365 and Azure dominate Canadian enterprise and government IT environments, from federal departments to small businesses managed by local providers. A campaign targeting Azure CLI authentication regardless of sector or size places every Canadian organization running Microsoft cloud services in scope.
The technique exposes a gap security teams often miss during access reviews. Many Canadian IT departments configure MFA and Conditional Access around interactive browser sign-ins, without auditing legacy flows like ROPC still enabled at the tenant level. One overlooked legacy protocol undoes months of identity security investment, and any compromised account exposing personal information carries PIPEDA breach notification obligations.
What to Do
Confirm whether ROPC and other legacy authentication flows remain enabled in your Azure AD or Entra ID tenant, and disable them where no application depends on them. Review Conditional Access policies to confirm MFA applies to all cloud apps and all users, not administrators alone, and move any policy still in report-only mode to enforced status. Audit sign-in logs for the June 12 to June 26 window for unusual Azure CLI activity, and reset credentials for any account showing signs of compromise.
Read the full report at BleepingComputer.






