Massive Password Spray Attack Targets Azure CLI, Exceeding 81 Million Attempts
An automated password spray campaign has targeted Microsoft's Azure CLI, attempting over 81 million password combinations against at least 78 accounts.

Cybersecurity researchers have identified a large-scale, automated password spray attack specifically targeting Microsoft's Azure command-line interface (CLI). The campaign, which ran from June 12 to June 26, originated from an IPv6 address range controlled by internet infrastructure provider LSHIY LLC (AS32167).
During this two-week period, threat actors made an astonishing number of attempts, trying over 81 million different password combinations against at least 78 Microsoft accounts. The primary goal of such attacks is typically to gain unauthorized access to accounts by systematically testing common or previously leaked credentials.
While the exact impact and number of successful compromises are still under investigation, the sheer volume of attempts raises significant concerns. Attackers often use password spraying to bypass account lockout policies by spreading attempts across many accounts, making detection more challenging. The use of Azure CLI suggests a focus on gaining access to cloud resources and infrastructure managed through this powerful tool.
Researchers at Huntress, who brought this activity to light, noted the sophisticated nature of the attack, highlighting the use of an extensive IPv6 range to mask the origin and scale of the operations. The targeting of Azure CLI is particularly concerning, as compromised accounts could grant attackers access to sensitive data, cloud services, and potentially critical infrastructure.
Microsoft's Azure CLI is a vital tool for developers and IT professionals managing cloud resources. Unauthorized access could lead to data breaches, service disruptions, or the deployment of malicious resources within a victim's cloud environment. The attackers appear to be leveraging known password spraying techniques, adapted for the cloud-native environment.
While no specific CVEs have been directly linked to this particular password spray campaign, it underscores the persistent threat of credential stuffing and brute-force attacks against cloud services. Organizations using Azure are advised to implement strong authentication measures, such as multi-factor authentication (MFA), and monitor their access logs for suspicious activity.
This incident serves as a stark reminder of the ongoing need for robust security practices in cloud environments. The scale of the attack suggests a well-resourced adversary, and the targeting of a core management tool like Azure CLI highlights a strategic approach to compromising cloud infrastructure. Continuous vigilance and adherence to security best practices are paramount in defending against such widespread credential-based attacks.
This new report from SecurityWeek adds that the massive password spray campaign targeting Azure CLI originated from systems associated with the hosting provider LSHIY. The campaign generated over 81 million login attempts, underscoring the scale and sophistication of the brute-force efforts.