An automated password spray attack compromised at least 78 Azure accounts across 64 organizations between June 12-26 because multi-factor authentication was improperly configured or not enforced. Small business owners must audit MFA settings immediately, as weak configurations leave accounts vulnerable even when MFA appears enabled.
Today's cybersecurity update covers four critical stories for small business owners:
A massive automated password spray attack targeted Microsoft Azure CLI accounts, with over 81 million login attempts between June 12-26, 2026, compromising at least 78 accounts across 64 organizations. The attack exploited weak multi-factor authentication configurations, demonstrating that MFA must be properly configured and enforced across all applications.
Insurance giant Aflac disclosed a major data breach affecting millions of customers in their Japan operations. Between June 15-25, unauthorized attackers accessed policy details, personal information, and banking data, highlighting the importance of having a tested incident response plan.
Citrix released critical security patches for six NetScaler vulnerabilities that could allow attackers to read sensitive files or cause denial-of-service conditions. Organizations using NetScaler ADC or Gateway should update immediately.
Over 900 Oracle E-Business Suite systems are currently under active attack due to unpatched critical vulnerabilities, emphasizing that security updates are not optional.
Key takeaways for business owners: audit your MFA settings to ensure proper enforcement, apply all critical patches promptly, and test your incident response plan before you need it.
How does MFA configuration failure lead to breach exposure?
The Azure attack exploited weak MFA setups, not the absence of MFA itself. Attackers used password spray techniques against 81 million login attempts to find accounts where MFA was misconfigured, disabled for certain apps, or not enforced on all entry points. This mirrors the Aflac breach pattern: attackers target configuration gaps, not just unpatched systems. CISA regularly flags MFA misconfigurations as top SMB vulnerabilities. For manufacturers and professional services firms, the immediate action is mandatory: review all cloud accounts (Azure, Microsoft 365, Google Workspace) and verify MFA is required at login, not optional, across every application. Test that MFA actually blocks access when disabled. Many SMBs enable MFA but skip enforcement, creating the exact gap attackers exploited here.
Key takeaways
- Audit MFA settings now: verify enforcement is required, not optional, for all user accounts and applications
- Test MFA blocks access: disable it on a test account and confirm the system denies login without the second factor
- Patch Oracle E-Business Suite and Citrix NetScaler immediately; 900+ systems are under active attack due to unpatched CVEs
- Build an incident response plan before breach happens: Aflac breach shows attackers had 10-day access window before detection
Frequently asked questions
What is a password spray attack and why does it work against weak MFA?
Password spray sends a single common password (or credential list) across millions of accounts to avoid lockouts. Weak MFA configurations allow the initial login to succeed, bypassing MFA prompts on secondary apps or giving attackers time to disable MFA through account settings. Proper MFA enforcement blocks login immediately after password entry, stopping sprays at the first factor.
How do I know if my MFA is actually enforced across all my business apps?
Log in as a test user, disable or ignore the MFA prompt, and try to access sensitive apps or data. If access succeeds, MFA is not enforced. For cloud accounts, check conditional access policies (Azure) or equivalent rules in your provider's admin console. Many SMBs turn on MFA for login but skip enforcement on apps and API access, creating the vulnerability this attack exploited.
Should I be worried about the Citrix and Oracle vulnerabilities if I don't use those systems?
If your business does not run NetScaler ADC/Gateway or Oracle E-Business Suite, these specific CVEs do not apply to you. However, the principle applies: unpatched critical vulnerabilities in any system you operate will be exploited. Establish a patch schedule and test updates on non-production systems first to avoid downtime.
What should an incident response plan include after a breach like Aflac's?
A tested plan must cover discovery (who detects the breach), containment (isolate affected systems), notification (customers, regulators, law enforcement), and recovery (restore from clean backups, verify attackers are removed). The Aflac breach shows that 10 days of undetected access can expose millions of records. Practice your plan quarterly with a test scenario.
Sources
- https://thehackernews.com/2026/07/azure-cli-password-spray-hits-at-least.html
- https://www.infosecurity-magazine.com/news/insurance-giant-aflac-data-breach/
- https://thehackernews.com/2026/07/citrix-patches-six-netscaler-flaws.html
- https://www.bleepingcomputer.com/news/security/over-900-oracle-e-business-instances-exposed-to-ongoing-attacks/