81 million
login attempts generated in 14 days by the LSHIY credential spray campaign targeting Microsoft 365 tenants globally
78 accounts
Microsoft 365 accounts confirmed compromised across 64 organizations after valid credentials were matched from dark web dumps
155x
increase in password-spraying attacks observed by Huntress across its managed security customer base in 2026
1,964
average failed login attempts per Microsoft 365 tenant per month in 2026, creating background noise sufficient to evade standard alert thresholds

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

78 Microsoft 365 accounts across 64 organizations were confirmed compromised after a password spray campaign generated 81 million login attempts using credentials stolen from past data breaches circulating on dark web marketplaces.

The Microsoft 365 password spray attack, tracked by Huntress as the LSHIY campaign, ran from June 12 to June 26, 2026. The threat actor authenticated exclusively through Microsoft's Azure command-line interface (Azure CLI), using a deprecated OAuth mechanism called Resource Owner Password Credentials (ROPC). ROPC sends a username and password directly to Microsoft's /token endpoint, bypassing the interactive login screen where multi-factor authentication is typically enforced. Any organization whose Conditional Access Policies did not explicitly cover the Azure CLI client app was exposed to this bypass.

The attack is structurally simple. Credential databases purchased from dark web markets contain billions of username and password pairs from past corporate breaches, infostealer malware campaigns, and phishing kit harvests. The LSHIY operator loaded those pairs into an automated Azure CLI script, submitted them to Microsoft's token endpoint via ROPC, and recorded which combinations returned a valid authentication token. No custom malware, no zero-day exploit, and no social engineering were required.

Huntress observed a 155-fold increase in password-spraying attacks across its customer base in 2026, with the average tenant now receiving 1,964 failed login attempts per month. If your organization uses Microsoft 365 and has not blocked ROPC in Conditional Access, your users' passwords are being tested right now. Eight of the 64 affected organizations had no MFA policy at all. The remaining 56 had MFA enabled but with configuration gaps that left the Azure CLI sign-in path unprotected.

How Does the Microsoft 365 Password Spray Attack Work?

A password spray attack is a credential attack that tries a small set of previously exposed passwords across a large number of accounts, deliberately staying below the lockout thresholds triggered by brute-force attempts that hammer a single account repeatedly.

The LSHIY campaign executed this technique entirely through the Azure CLI authentication path. Attackers gathered username and password combinations from dark web credential markets, where billions of login pairs from past breaches are sold in bulk. They submitted those pairs to Microsoft's /token endpoint using the ROPC OAuth flow, which the Azure CLI uses for non-interactive authentication.

The ROPC flow is the critical enabler. Microsoft's own documentation marks ROPC as a "legacy authentication protocol" and recommends against it, but many Azure CLI configurations still permit it. When an ROPC request arrives at the /token endpoint, Microsoft does not redirect the user to an interactive browser session. There is no browser window, no push notification to an authenticator app, and no SMS code prompt. The authentication completes in a single API call. Any Conditional Access Policy scoped to "All Cloud Apps" and "All Client App Types" would catch this flow, but 15 of the 64 affected organizations had MFA policies that missed the Azure CLI client app path entirely.

Huntress confirmed the account-level impact: 78 accounts validated and accessed across 64 organizations in 14 days. The daily compromise rate averaged two to four accounts per day initially. On June 22, 30 accounts across 23 organizations were compromised in a single day, indicating the attacker escalated to a higher-velocity phase using credentials with higher match confidence from the spray results.

1

Credential Acquisition

Threat actor purchases bulk username/password pairs from dark web credential markets sourced from past corporate breaches

2

Azure CLI ROPC Spray

81 million authentication attempts submitted to Microsoft /token endpoint via deprecated ROPC flow, bypassing interactive MFA prompts entirely

3

Valid Pair Identified

Token endpoint returns access token for matching credential pairs, confirming active account credentials without triggering MFA challenge

4

Initial Access Established

Attacker authenticates to Microsoft 365 tenant and accesses email, SharePoint, Teams data, and connected SaaS applications

Where Do the Stolen Credentials Come From?

The LSHIY campaign used "still valid username and password combinations that had been exposed in past breaches," according to Huntress. That description points directly to dark web credential markets, where stolen login pairs are available at scale from years of accumulated breach data.

The volume of available credentials is not theoretical. A single Elasticsearch cluster discovered in June 2026 contained 24 billion stolen credentials spanning 8.3 terabytes across 36 sources, with records pairing credential pairs directly to known CVE exploit data. A separate compilation tracked 16 billion credentials circulating across 30 dark web databases, covering Google, Apple, Facebook, GitHub, enterprise VPNs, and government platforms. Fresh records enter these compilations weekly from infostealer malware logs.

Corporate Microsoft 365 credentials appear in these datasets for several concrete reasons. Employees reuse personal passwords across work accounts. Phishing campaigns specifically targeting Microsoft 365 login pages have operated continuously since 2020. Infostealer malware deployed through malicious ads, cracked software, and drive-by downloads harvests browser-stored passwords and sends them to attacker-controlled collection infrastructure.

The LSHIY operator selected targets based entirely on password prevalence in compromised combo lists, according to analysis by The Hacker News. The campaign was indiscriminate across industries: finance, healthcare, manufacturing, professional services, and public sector organizations all appeared in Huntress's affected-customer data. Sector was irrelevant. Having a Microsoft 365 tenant with any account whose password appeared in a dark web dump was the only selection criterion for this campaign.

Targeting based entirely on password prevalence on compromised password combo lists.

Huntress, via The Hacker News (July 2026)
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Who Is Behind the LSHIY Campaign?

Huntress attributes all observed attack traffic to infrastructure registered to LSHIY LLC, an autonomous system operating under AS32167 with the IPv6 prefix 2a0a:d683::/32. Geographic analysis of the IP range shows resolution primarily to U.S. exit points, with some traffic resolving to Chinese infrastructure, though network-level attribution alone does not establish the threat actor's actual location or identity.

The campaign's technical profile does not match the signature of a nation-state operation. Nation-state actors conducting credential operations typically select targets by sector, rotate infrastructure frequently, and embed campaign activity within broader intrusion objectives. The LSHIY campaign ran the same technique from the same ASN for 14 days without modification. Huntress characterizes the activity as financially motivated credential access: validate working username and password pairs for potential resale to initial access brokers, direct account exploitation, or downstream extortion.

What the LSHIY operation demonstrates is that sophisticated tradecraft is not required to breach enterprise Microsoft 365 environments. The ROPC bypass has been publicly documented for years. Credential dumps with millions of valid corporate logins are available for purchase under $100 on dark web markets. Azure CLI is installed and accessible in the majority of enterprise development and IT environments. Combining these three elements, a publicly documented bypass technique, purchased credentials, and a widely deployed client app, was sufficient to compromise 78 accounts before the attack ended.

Activity from the LSHIY LLC IPv6 range ended on July 2, 2026, according to Huntress. The stopping of observable activity does not mean compromised accounts have been remediated. Organizations that have not audited their Azure CLI sign-in logs for the June 12 to July 2 window may still have active attacker access.

Subscribe to unlock Indicators of Compromise

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

How Many Organizations Have Already Been Compromised?

The confirmed figures come from Huntress's managed security customer base, representing a fraction of total Microsoft 365 tenants globally. 78 accounts across 64 organizations were compromised in the 14-day observation window. The daily attack volume started at two to four accounts per day, peaked at 12 accounts on June 19, then surged to 30 accounts across 23 organizations on June 22 alone.

Huntress observed a 155-fold increase in password-spraying attacks across its entire customer base in 2026. The average organization now receives 1,964 failed login attempts per tenant each month, a volume high enough to bury individual spraying events in standard security alert queues. Organizations relying on login failure counts to detect credential attacks will not see LSHIY-style sprays in their dashboards because the per-account failure rate is too low to trigger standard thresholds.

The scope of exposure extends beyond Huntress customers. Microsoft 365 has approximately 345 million paid seats across millions of organizations globally. The LSHIY campaign targeted accounts indiscriminately based solely on credential availability. Any organization with a Microsoft 365 tenant whose users appear in dark web credential dumps, which is statistically the majority of enterprise organizations given the scale of 2025 and 2026 breach data, faces the same structural exposure.

Eight of the 64 affected organizations had no MFA policy at all. The remaining 56 had MFA implemented but with configuration gaps: MFA scoped to specific apps rather than all cloud apps, MFA limited to administrator accounts, trusted-location exceptions that weakened requirements for off-network users, and policies left in report-only mode that logged activity without enforcing protection.

How to Detect LSHIY Password Spray Activity in Your Entra Logs

Detection requires reviewing Microsoft Entra ID sign-in logs for specific signals that distinguish ROPC-based password spraying from normal user activity. Standard failed-login alerts will not surface this attack because the spray volume per individual account is too low to trigger typical lockout thresholds.

Pull sign-in logs from the Microsoft Entra admin center or via the Microsoft Graph API. Filter for authentications where "Client App" is listed as "ROPC" or where "Azure CLI" appears with "AuthenticationMethodsUsed" omitting interactive MFA. The source ASN for the confirmed LSHIY campaign is AS32167 with IPv6 prefix 2a0a:d683::/32. Any successful authentication from this range during June 12 through July 2, 2026 is a confirmed compromise indicator requiring immediate response.

Microsoft Sentinel customers can query the SigninLogs table with a filter for ClientAppUsed equals "Azure CLI" where ResultType equals 0 (successful sign-in) and GrantControls is empty or "None." This surfaces all ROPC authentications that bypassed MFA enforcement regardless of source IP, giving you a full picture of your legacy authentication exposure, not just the LSHIY campaign.

For post-compromise activity, check accounts with any successful ROPC sign-in during the June 12 to July 2 window for secondary artifacts: new email forwarding rules, OAuth application consent grants added after the compromise date, new external contacts, and SharePoint or OneDrive download volumes inconsistent with the user's normal pattern. Attacker activity after initial access typically generates these artifacts within 24 to 48 hours.

For broader context on OAuth-based authentication bypass patterns in Microsoft 365, our prior analysis of the ConsentFix OAuth attack chain covers overlapping detection methods applicable to this credential spray attack path.

Subscribe to unlock Indicators of Compromise

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

How to Close the Conditional Access Gap Before Your Organization Is Next

Closing the configuration gap the LSHIY campaign exploited requires six specific changes to Microsoft 365 and Azure AD, all achievable without third-party tools.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Why Microsoft 365 Password Spray Matters for Your Organization

Microsoft 365 password spray attacks using stolen credentials represent a structurally persistent risk that worsens as more breach data accumulates on dark web markets. The LSHIY campaign required no zero-day exploit, no custom malware, and no social engineering. It required a list of credentials available for purchase and knowledge of the ROPC flow, which has been publicly documented since 2018.

The 155-fold increase in password-spraying attacks Huntress observed across its customer base in 2026 reflects a supply-side collapse in attacker economics: credential dumps have become so large, so cheap, and so frequently refreshed with fresh infostealer logs that the barrier to running this class of attack has reached near-zero. Any threat actor with under $100 and basic knowledge of Azure CLI can replicate what the LSHIY campaign executed.

The exposure is specific. Your organization's Microsoft 365 accounts are statistically likely to appear in at least one dark web credential compilation given the scale of 2025 and 2026 breach data. The question your security team needs to answer today is whether your Conditional Access Policies explicitly block ROPC authentication flows across all client app types. If the answer is unclear, that uncertainty is itself a critical security finding that needs immediate resolution.

Run the Entra sign-in log query for ROPC authentications this week. Block Azure CLI for non-administrative users this week. Require MFA for all cloud apps and all client types this week. These three changes close the structural gap the LSHIY campaign exploited and eliminate the attack path for every future campaign using this same technique.

The bottom line

Microsoft 365 password spray attacks using stolen dark web credentials are an active, confirmed threat against any organization that has not blocked ROPC authentication flows in Conditional Access. Three key facts: ROPC bypasses MFA regardless of how MFA is configured unless Conditional Access explicitly covers all client app types; 64 organizations with MFA deployed were still breached; LSHIY attack activity ended July 2 but compromised accounts remain accessible without active remediation. Audit your Azure CLI sign-in logs for June 12 through July 2, 2026 today.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What is a Microsoft 365 password spray attack?

A Microsoft 365 password spray attack submits stolen username and password pairs from dark web breach databases against Microsoft 365 tenants at low volume per account, avoiding lockout thresholds while systematically identifying valid credentials. The LSHIY campaign used this technique via the Azure CLI ROPC OAuth flow, generating 81 million attempts across 14 days and compromising 78 accounts without triggering standard authentication alerts.

How does ROPC bypass multi-factor authentication in Microsoft 365?

Resource Owner Password Credentials (ROPC) is a deprecated OAuth 2.0 flow that sends a username and password directly to Microsoft's /token endpoint without triggering an interactive browser session. Multi-factor authentication in Microsoft 365 is enforced at the authorization endpoint, which is the interactive login screen. Because ROPC never hits that endpoint, MFA is never triggered. Any Conditional Access Policy that does not explicitly include all client app types leaves ROPC authentication completely unprotected.

How many organizations were affected by the LSHIY Microsoft 365 campaign?

Huntress confirmed 78 Microsoft 365 accounts compromised across 64 organizations in its managed security customer base during the June 12 to June 26, 2026 campaign window. This figure represents only organizations monitored by Huntress. The total number of affected organizations globally is unknown, as the campaign targeted Microsoft 365 tenants indiscriminately based on credential availability rather than sector, size, or geography.

Is there a patch that stops the ROPC authentication bypass in Microsoft 365?

There is no patch because ROPC is not a vulnerability in the traditional sense. It is a deprecated authentication protocol that Microsoft recommends against but has not removed from the platform. The fix is a configuration change: create a Conditional Access Policy requiring MFA for all users, all cloud apps, and all client app types. This explicitly covers the ROPC flow and blocks password spray attacks that exploit it, with no third-party tools required.

How do I detect LSHIY password spray activity in my Microsoft Entra logs?

Query the SigninLogs table in Microsoft Sentinel for ClientAppUsed equals Azure CLI where ResultType equals 0 and GrantControls is empty or None. This surfaces successful ROPC authentications that bypassed MFA. Any successful sign-in sourced from AS32167 (IPv6 range 2a0a:d683::/32) during June 12 through July 2, 2026 is a confirmed compromise indicator. Immediately reset credentials and revoke sessions for any matching account.

How do attackers get the passwords they use in Microsoft 365 spray campaigns?

Attackers buy credential databases from dark web markets where billions of username and password pairs from past corporate breaches are sold in bulk. These databases are assembled from data breaches, infostealer malware that harvests browser-stored passwords, and phishing kits that capture credentials at fake Microsoft 365 login pages. A single dark web cluster discovered in June 2026 contained 24 billion credential pairs across 36 data sources, with records continuously updated from fresh infostealer malware logs.

Is MFA alone enough to protect Microsoft 365 accounts from password spray attacks?

MFA is not sufficient if Conditional Access Policies do not cover all client app types. The LSHIY campaign bypassed MFA in 56 of 64 affected organizations that had MFA enabled. The gap in each case was a Conditional Access Policy scoped to specific apps or user groups rather than all cloud apps and all client app types. MFA stops password spray attacks only when enforced on every authentication path, including ROPC, Exchange ActiveSync, and other legacy authentication flows.

What should I do immediately if my organization uses Azure CLI?

Do three things today: query your Entra sign-in logs for successful ROPC authentications during June 12 through July 2, 2026; update your Conditional Access MFA policy to include all client app types; and restrict the Azure CLI application (app ID 04b07795-8ddb-461a-bbee-02f9e1bf7b46) to administrative users only. If you find successful ROPC sign-ins from the LSHIY range 2a0a:d683::/32, treat those accounts as compromised and execute credential resets and session revocation immediately.

Sources & references

  1. BleepingComputer: Hackers target Microsoft 365 accounts with 81 million login attempts
  2. The Hacker News: Azure CLI Password Spray Hits at Least 78 Microsoft Accounts in 81M+ Attempts
  3. TechRadar: 81 million login attempts hit Microsoft 365 accounts via password-spraying and OAuth bypass
  4. CISA Known Exploited Vulnerabilities Catalog

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.