A massive password spray attack compromised at least 78 Azure accounts across 64 organizations by exploiting weak multi-factor authentication (MFA) configuration, showing that MFA alone does not protect accounts unless properly enforced and configured across all applications.
Today's cybersecurity update covers four critical stories for small business owners:
A massive automated password spray attack targeted Microsoft Azure CLI accounts, with over 81 million login attempts between June 12-26, 2026, compromising at least 78 accounts across 64 organizations. The attack exploited weak multi-factor authentication configurations, demonstrating that MFA must be properly configured and enforced across all applications.
Insurance giant Aflac disclosed a major data breach affecting millions of customers in their Japan operations. Between June 15-25, unauthorized attackers accessed policy details, personal information, and banking data, highlighting the importance of having a tested incident response plan.
Citrix released critical security patches for six NetScaler vulnerabilities that could allow attackers to read sensitive files or cause denial-of-service conditions. Organizations using NetScaler ADC or Gateway should update immediately.
Over 900 Oracle E-Business Suite systems are currently under active attack due to unpatched critical vulnerabilities, emphasizing that security updates are not optional.
Key takeaways for business owners: audit your MFA settings to ensure proper enforcement, apply all critical patches promptly, and test your incident response plan before you need it.
How did weak MFA configuration lead to this breach?
Between June 12-26, attackers launched 81 million automated login attempts against Microsoft Azure CLI accounts. The breach succeeded because MFA settings were not properly enforced: either disabled for certain users, not required for CLI access, or configured with methods that allowed bypass. This is not a flaw in MFA itself but in how it was deployed. For small businesses, this means auditing every Azure account, enforcing MFA on CLI tools, and disabling legacy authentication protocols. Check your Azure tenant for accounts without MFA, review conditional access policies, and test whether MFA actually blocks unauthorized logins. CISA and Microsoft both recommend hardware security keys for high-value accounts.
Key takeaways
- Audit every Azure account immediately: verify MFA is enabled, test that it actually blocks failed login attempts, and check CLI and API access specifically.
- Configure conditional access policies in Azure to require MFA for all apps and locations, not just some.
- Apply patches for Citrix NetScaler and Oracle E-Business Suite now; these are actively exploited.
- Document and test your incident response plan so you can recover data and notify customers within hours, not days.
Frequently asked questions
What exactly is MFA configuration and why did weak settings cause this breach?
MFA configuration includes where MFA is required (which apps, users, locations), which methods are allowed (text, authenticator app, hardware key), and whether it can be bypassed. Weak configuration means MFA is optional for some users or disabled for privileged accounts like CLI access. Attackers found accounts where MFA was not enforced and logged in after guessing passwords. You must audit your Azure tenant to see where MFA is truly mandatory.
Should we switch away from Azure because of this attack?
No. The attack did not exploit Azure itself but rather how businesses configured MFA. Azure provides strong security tools; the issue is deployment. Focus on fixing your MFA settings, conditional access policies, and monitoring. The same attack vector would affect any cloud service if MFA is not properly enforced.
What is the single most important action we should take this week?
Audit your Azure Active Directory (Azure AD) MFA settings. Check which accounts have MFA enabled, which applications require it, and test that failed logins are actually blocked. If you use Azure CLI or APIs, enable MFA for those access points immediately. If you do not manage Azure AD in-house, contact your IT provider or MSP and ask for a report.
How do we test whether our MFA configuration is actually working?
Log in to Azure portal with correct credentials but wrong MFA response (wrong code or refuse the prompt). The system should deny access. Try this from inside and outside your office network. If login succeeds without a valid MFA response, your configuration is broken. Report the finding to your IT team.
Sources
- https://thehackernews.com/2026/07/azure-cli-password-spray-hits-at-least.html
- https://www.infosecurity-magazine.com/news/insurance-giant-aflac-data-breach/
- https://thehackernews.com/2026/07/citrix-patches-six-netscaler-flaws.html
- https://www.bleepingcomputer.com/news/security/over-900-oracle-e-business-instances-exposed-to-ongoing-attacks/