HomeMalware & ThreatsAzure Password-Spraying Attack Circumvents MFA Defenses

Azure Password-Spraying Attack Circumvents MFA Defenses

Published on

spot_img

Cloud Security,
Multi-factor & Risk-based Authentication,
Security Operations

Threat Actor Uses Deprecated OAuth 2.0 Authentication Flow

Azure Password-Spraying Attack Circumvents MFA Defenses
Image: Shutterstock/ISMG

The recent surge in password-spraying attacks against Microsoft Office 365 accounts has raised significant alarm within cybersecurity circles. Attackers targeting these accounts have reportedly succeeded in breaching a notable number of victims, even in scenarios where multifactor authentication (MFA) is already in place.

According to insights from the cybersecurity firm Huntress, these automated, brute-force attacks have been trying to exploit user credentials to access the Microsoft Azure command-line interface. During a concentrated attack phase from June 12 to a recent Friday, Huntress recorded an astounding 81 million login attempts against its customer base. This onslaught culminated in the attackers gaining unauthorized remote access to at least 78 accounts spread across 23 different organizations.

Notably, access was achieved despite the targeted organizations employing Microsoft Entra Conditional Access, the security giant’s implementation of a Zero Trust policy designed to bolster security measures. This conditional access seeks to enhance protection to Microsoft 365 environments by enforcing multifactor authentication for users, thereby creating an additional layer of security against unauthorized access.

Reports emerging from multiple organizations on platforms like Reddit indicated that the attacks traced back to a limited selection of IPv6 addresses owned by a Chinese infrastructure provider known as LSHIY. Each of these malicious IP addresses was executing an alarming 75 attacks per user on an hourly basis. The sheer volume of these attacks reportedly led to legitimate users finding their accounts locked even before access policies could be enforced. Unfortunately, the effectiveness of Entra’s Smart Lockout feature — a mechanism designed to differentiate between bot activity and legitimate users — fell short in this scenario.

A cybersecurity user lamented the situation on Reddit, stating, “Smart Lockout doesn’t seem to make the attacker move on, likely because this is bot/AI-initiated. We end up having to change the username itself to stop the attacks, but that’s obviously not scalable for thousands of accounts should the scope increase.” This raises concerns about how effective existing defense mechanisms are in the face of such high-traffic attacks.

Huntress elaborated further on the modus operandi of the attackers, who appeared to be leveraging a vast pool of stolen credentials. These threats mainly involved utilizing old username/password combinations that had been previously compromised but never renewed. It’s still unclear whether these credentials were gathered through information-stealing malware or are part of extensive collections of leaked credentials online.

Clients who fell victim to these breaches, despite potentially having MFA activated, remained vulnerable because they did not restrict access to an open authorization framework governed by the OAuth 2.0 standard. This feature permitted the use of what is known as a resource owner password credentials (ROPC) grant, enabling access to generate valid authentication tokens on a user’s behalf, merely requiring their username and password.

Huntress provided a technical breakdown of the attack flow, explaining, “This auth flow takes a username/password at the /token endpoint for a tenant and mints a new user-delegated token once provided with the correct credentials. The system subsequently sends the password directly to the /token endpoint without prompting an interactive MFA challenge.”

This means that attackers with valid credentials could exploit the ROPC authentication grant workflow to gain unauthorized, remote access, effectively bypassing MFA and Single Sign-On (SSO) due to the reliance on the deprecated OAuth 2.0 flow, which some organizations continue to use.

Andrew Brandt, a cybercrime analyst at Huntress and a co-author of the research, voiced concerns on the social platform Mastodon, urging, “This attack bypasses MFA and SSO due to the use of the deprecated—but still functional—OAuth Resource Owner Password Credentials 2.0 flow. It’s a reminder that many individuals still employ credentials that were compromised years earlier without ever changing them. It’s crucial, therefore, for users to regularly update their passwords!”

It’s important to note that the Internet Engineering Task Force (IETF) has deprecated ROPC in the OAuth 2.1 specification, recognizing it as a significant security risk. While the draft has been released, a finalized version is yet to be published; nonetheless, numerous organizations have already begun adopting the associated security revisions.

To prevent similar attacks through ROPC, organizations are advised to employ Conditional Access measures to enforce MFA for Azure CLI logins. Yet, among the 23 victims identified by Huntress, approximately one-third lacked any MFA policy whatsoever. The remaining organizations either limited MFA to specific groups/applications or merely had it set in a report-only mode, which means it was not actively enforced. There were also reports of some organizations using location restrictions for MFA—a technique deemed inadequate as a stand-alone control, particularly since many attacks are able to circumvent these filters utilizing geo-mislabeled IP addresses from the U.S.

Going forward, researchers encourage organizations to ensure proper configurations of Conditional Access policies applicable to all users and cloud apps. Additionally, the userStrongAuthClientAuthNRequired parameter should be enabled to necessitate MFA during the authentication process prior to granting access. Limiting access to the Azure CLI application exclusively to administrative users is also a consideration for enhanced security.

Overall, this incident serves as a reminder that password-spraying attacks extend beyond Microsoft services and are increasingly targeting various edge devices, such as routers and firewalls. Huntress reported that over the past six months, the volume of credential spray attacks has skyrocketed by more than 155 times within its customer base. The escalation in attack frequency was particularly notable from late May through early June, with an average of about 1,964 failed attempts recorded monthly per tenant protected by Huntress.

This alarming rise in password-spraying attacks reflects a troubling trend within the cybersecurity landscape. These attacks appear to be automated and opportunistically targeting accessible login attempts based solely on the prevalence of compromised password lists, demonstrating a worrying potential threat to numerous industries.

Source link

Latest articles

Microsoft Speeds Up Quantum-Safe Initiative with New Timeline

Microsoft has announced an acceleration of its initiatives aimed at transitioning to post-quantum cryptography...

Dawnguard Unveils Cloud Security Automation Platform

Dawnguard Launches Comprehensive Security Architecture Automation Platform Dawnguard, a prominent player in the cybersecurity landscape,...

Veil#Drop Utilizes Google Blogspot for Deploying PureLog Stealer

Google’s Blogspot Misused for Advanced Fileless Malware Campaign In a significant cybersecurity development, researchers from...

Transforming Indicators into Intelligence with OpenCTI

Cyber Threat Intelligence Integration Enhances Security Decision-Making Torrance, California, USA, July 1st, 2026, CyberNewswire In an...

More like this

Microsoft Speeds Up Quantum-Safe Initiative with New Timeline

Microsoft has announced an acceleration of its initiatives aimed at transitioning to post-quantum cryptography...

Dawnguard Unveils Cloud Security Automation Platform

Dawnguard Launches Comprehensive Security Architecture Automation Platform Dawnguard, a prominent player in the cybersecurity landscape,...

Veil#Drop Utilizes Google Blogspot for Deploying PureLog Stealer

Google’s Blogspot Misused for Advanced Fileless Malware Campaign In a significant cybersecurity development, researchers from...