Cybersecurity firm Huntress has disclosed details of what it describes as a “massive, ongoing, automated password spray attack” directed at Microsoft’s Azure command-line interface (CLI). The campaign resulted in confirmed compromises of at least 78 Microsoft accounts, with attackers generating more than 81 million authentication attempts during the observed period.

Origin and Attribution

According to Huntress, the attack traffic originates from an IPv6 address range (2a0a:d683::/32) assigned to internet infrastructure provider LSHIY LLC, operating under autonomous system number AS32167. The use of IPv6 infrastructure is notable, as it can complicate detection and blocking efforts for organizations whose monitoring tools are not fully IPv6-aware.

Timeline and Scale

Huntress observed the campaign running between June 12 and June 26, placing the active window at approximately two weeks. The volume of attempts, exceeding 81 million, indicates a highly automated operation, with the Azure CLI serving as the targeted authentication surface rather than web-based login portals. Targeting the CLI layer may allow attackers to bypass certain browser-based conditional access controls or user-facing authentication friction.

Implications for Defenders

Security teams managing Azure environments should take several steps in response to this type of activity:

  • Review authentication logs for anomalous CLI-based sign-in attempts, particularly those originating from IPv6 ranges.
  • Enforce phishing-resistant multi-factor authentication (MFA) across all accounts, including service and administrative accounts that may interact with the Azure CLI.
  • Audit accounts for unexpected access or privilege changes during the June 12 to June 26 window.
  • Consider conditional access policies that restrict or flag CLI-based authentication from unknown or unexpected network ranges.

Password spray attacks, which test a small set of common passwords against a large number of accounts to avoid lockout thresholds, remain a reliable technique against organizations without robust MFA enforcement. The scale of this campaign underscores the continued risk posed by credential-based attacks against cloud management interfaces, which often carry broad administrative permissions.

Huntress has characterized the campaign as ongoing, suggesting organizations should treat this as an active threat rather than a concluded incident.