78+ Microsoft Accounts Compromised in Massive Azure CLI Password Spray Campaign
Researchers discovered a large-scale, automated password spray attack targeting Microsoft Azure CLI that compromised at least 78 accounts across 81 million login attempts. The attack, originating from an IPv6 range controlled by LSHIY LLC, highlights persistent threats to cloud infrastructure credentials.
TL;DR
- At least 78 Microsoft accounts compromised in ongoing Azure CLI password spray attack
- 81+ million login attempts detected between June 12–26 from IPv6 range 2a0a:d683::/32
- Attack infrastructure traced to LSHIY LLC (AS32167), an internet provider
- Organizations should enforce MFA, monitor CLI authentication logs, and rotate credentials
Huntress security researchers have identified a large-scale, automated password spray campaign targeting Microsoft's Azure command-line interface (CLI). Between mid-June and late June, attackers launched over 81 million login attempts from an IPv6 address range controlled by internet infrastructure provider LSHIY LLC, successfully compromising at least 78 user accounts.
Password spray attacks differ from traditional brute-force methods by attempting common passwords across many accounts rather than exhausting passwords on a single target. This approach evades rate-limiting and account lockout protections, making it particularly effective against cloud services. The Azure CLI attack demonstrates how threat actors continue to target cloud infrastructure as organizations increasingly migrate workloads to Azure.
Attack Scale and Infrastructure
- 81+ million login attempts recorded over a 15-day period (June 12–26)
- Attack traffic originated from IPv6 range 2a0a:d683::/32 controlled by LSHIY LLC (AS32167)
- At least 78 Microsoft accounts successfully compromised
- Automated, continuous attack pattern indicates organized threat actor or botnet operation
Defensive Recommendations for Organizations
- Enforce multi-factor authentication (MFA) on all Azure CLI and administrative accounts
- Monitor and alert on failed authentication attempts and unusual login patterns
- Implement IP allowlisting or geographic restrictions where operationally feasible
- Rotate credentials for any accounts with suspicious activity; audit recent CLI usage logs
- Consider disabling legacy authentication protocols and requiring modern authentication methods
Broader Cloud Security Implications
- Azure CLI credentials are high-value targets due to infrastructure access and privilege levels
- Password spray attacks remain effective against organizations with weak credential hygiene
- Cloud service providers face persistent targeting; defenders must assume ongoing attack activity
- Incident response teams should establish baseline authentication telemetry to detect anomalies
Sources
Sources
Security email updates
One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.