Attackers launched a large-scale password spray campaign against Microsoft Azure CLI, compromising at least 78 Microsoft user accounts across 81 million login attempts over two weeks.

Huntress researchers identified the assault originating from an IPv6 address range (2a0a:d683::/32) operated by LSHIY LLC, an internet infrastructure provider with autonomous system number AS32167. The attack ran from June 12 through June 26, using automated tooling to test weak or commonly reused credentials against Azure CLI endpoints.

Password spray attacks differ from brute-force assaults. Rather than hammering a single account with many passwords, attackers try common passwords against thousands of accounts. This approach evades lockout mechanisms that trigger after repeated failed login attempts on one user.

The 81 million attempts succeeded against 78 accounts, indicating the attackers possessed lists of valid email addresses tied to Azure services. Compromise of these accounts grants attackers direct command-line access to cloud infrastructure, storage, databases, and virtual machines hosted in Azure environments.

Organisations using Azure should treat this campaign seriously. Compromised credentials allow threat actors to move laterally within cloud infrastructure, exfiltrate data, deploy malware, or launch ransomware operations. The scale of the attack, spanning over 81 million attempts, suggests the threat actors operated with significant resources and persistence.

Microsoft has not publicly confirmed the attack or announced whether additional accounts beyond the 78 identified by Huntress were compromised. Huntress did not disclose which specific organisations were targeted, limiting visibility into attack scope.

Security teams should enforce multi-factor authentication (MFA) on all Azure accounts immediately. MFA blocks attackers even when they obtain valid passwords. Review Azure sign-in logs for suspicious activity, particularly from non-standard geographic locations. Change passwords for any accounts showing unusual access patterns. Monitor