Massive Azure CLI Attack Hits 78 Microsoft Accounts

ยท
Listen to this article~4 min
Massive Azure CLI Attack Hits 78 Microsoft Accounts

A massive Azure CLI password spray attack has compromised at least 78 Microsoft accounts with over 81 million login attempts. Learn how to protect your cloud environment from this ongoing threat.

Cybersecurity researchers have sounded the alarm about a massive, ongoing, automated password spray attack targeting Microsoft's Azure command-line interface (CLI). This campaign has already compromised at least 78 Microsoft accounts, with over 81 million login attempts logged so far. The activity, tracked by security firm Huntress, originates from an IPv6 address range (2a0a:d683::/32) controlled by internet infrastructure provider LSHIY LLC (AS32167). Between June 12 and June 26, the threat actors launched a relentless barrage of password guesses, focusing specifically on Azure CLI authentication endpoints. ### What Is a Password Spray Attack? A password spray attack isn't like a traditional brute-force attempt where hackers try thousands of passwords on a single account. Instead, it's more subtle. Attackers pick a few commonly used passwordsโ€”think "Password123" or "Welcome1"โ€”and try them across many different accounts. This approach helps them avoid triggering account lockouts or raising suspicion. Think of it like a thief trying a single key on every door in a neighborhood rather than picking one lock and trying a hundred keys. It's slower but much harder to detect. ### Why Azure CLI Is a Target The Azure CLI is a powerful tool that lets developers and IT admins manage cloud resources from the command line. Because it's designed for automation and scripting, it often has fewer security guardrails than the web-based Azure portal. Attackers know this, so they target CLI endpoints specifically. Huntress researchers noted that the attackers used a wide range of IP addresses from the LSHIY LLC network. This distributed approach makes it tougher for Microsoft to simply block a single IP or range. The attackers are constantly rotating their source addresses, staying one step ahead of basic defenses. ### Who's at Risk? Any organization using Microsoft Azure could be affected, but the most vulnerable are those with weak password policies or without multi-factor authentication (MFA) enabled. Small and medium businesses often fall into this category because they lack dedicated security teams. Key risk factors include: - No MFA on admin accounts - Weak password complexity requirements - Using shared or generic accounts - Not monitoring for unusual login patterns ### How to Protect Yourself If you're an Azure admin, here's what you need to do right now: - Enable MFA on every single account, especially those with admin privileges. - Use conditional access policies to block logins from suspicious IP ranges. - Monitor Azure AD sign-in logs for unexpected failed attempts. - Implement a strong password policy that requires long, complex passwords. - Consider using passwordless authentication methods like Windows Hello or FIDO2 keys. ### The Bigger Picture This attack is a reminder that cloud security isn't a set-it-and-forget-it thing. As more businesses move to the cloud, attackers are getting smarter about how they target these environments. Password spray attacks are becoming more common because they work. Microsoft has likely already taken steps to mitigate this specific campaign, but the underlying vulnerabilities remain. The best defense is a proactive one: assume you're being targeted and build your security accordingly. In the end, this isn't just about Azure. It's about how we think about authentication in a world where passwords are no longer enough. The attackers aren't going to stop, and neither should we.