Large-scale password spray campaign targets Azure CLI with 81M+ attempts, compromising 78+ Microsoft accounts
A sustained password spray attack originating from an IPv6 range controlled by LSHIY LLC has targeted Azure CLI with over 81 million login attempts between mid-June and late June 2026, successfully compromising at least 78 Microsoft accounts. This represents a significant threat to organisations using Azure command-line tooling without robust account protection measures.
Affected
Huntress researchers have documented a sustained automated password spray campaign targeting Microsoft's Azure command-line interface, with attackers executing over 81 million login attempts across a two-week period in June 2026. The attack infrastructure traces to an IPv6 address range (2a0a:d683::/32) operated by LSHIY LLC (AS32167), suggesting either a compromised ISP resource or an actor operating under minimal obfuscation. The campaign successfully compromised at least 78 Microsoft accounts, indicating either weak credential hygiene among targets or a substantial proportion of accounts using common or previously compromised passwords.
Password spray attacks remain deceptively effective against cloud authentication systems because they distribute requests across many accounts using common passwords, evading per-account rate limiting that would trigger on traditional brute force attacks. Azure CLI authentication, when not protected by conditional access policies or multi-factor authentication, presents an attractive target: the tooling is widely deployed across development teams, DevOps pipelines, and infrastructure automation, yet often runs in environments with minimal logging or alerting.
Organisations using Azure CLI should assume that any account without enforced multi-factor authentication has been targeted by this campaign and potentially compromised. The 78 confirmed breaches likely represent only accounts with predictable passwords or those previously exposed in other breaches. Attackers gaining CLI access can create persistent backdoors, modify infrastructure, exfiltrate data, or pivot to connected systems.
Defenders should immediately enforce MFA on all Azure accounts with CLI access, enable Azure AD sign-in risk policies to flag suspicious authentication patterns, and review Azure Activity Logs for unusual CLI commands executed during the attack window (12-26 June 2026). Organisations should also rotate credentials for service principals and managed identities used in automation, audit CLI client IDs for unauthorised applications, and consider blocking authentication from the identified IPv6 range at the network perimeter where feasible.
This campaign demonstrates that Azure's identity infrastructure, while technically robust, depends entirely on organisational discipline in applying available protections. The campaign's persistence and scale suggest either a financially motivated actor conducting credential harvesting for resale, or a state-sponsored operation building access for later exploitation. Either scenario warrants treating this as a high-priority incident for any organisation with Microsoft cloud presence.
Sources