Back to Insights
Threats4 min read1 July 2026

81 Million Authentication Attempts: Azure CLI Password Spray Breaches 78 Cloud Tenants

A two-week campaign fired more than 81 million login attempts at Microsoft's Azure command-line interface from a single IPv6 block, successfully compromising at least 78 accounts — exposing how programmatic cloud access often sits outside standard MFA controls.

EF
Elena FischerThreat Intelligence Analyst
A dramatic low-angle shot of a server room at night, rows of glowing blue and white rack-mounted servers stretching into

A sustained password spray campaign targeting Microsoft's Azure CLI (`az login`) endpoint compromised at least 78 accounts across an estimated 81 million authentication attempts between June 12 and June 26, 2025, according to telemetry published by Huntress.

What Happened

All observed attack traffic originated from a single IPv6 allocation — the `2a0a:d683::/32` CIDR block — assigned to internet infrastructure provider LSHIY LLC, operating under autonomous system number AS32167. That concentration is operationally unusual. Standard commodity spray operations rotate through residential proxy networks or bulletproof hosting to dissolve into background authentication noise. Pushing 81 million attempts through one allocation is either a tactical error or a calculated bet that most organizations are not blocking traffic at the IPv6 CIDR level.

Huntress has not attributed the activity to a named threat cluster. No public overlap with a tracked nation-state actor existed at time of writing. The intent appears financially motivated or opportunistic, with capability assessed at the lower end of the spectrum.

Why Azure CLI Is a High-Value Target

The targeting choice matters far more than raw volume. Azure CLI is a developer and administrator surface — not a standard user mailbox. Successful authentication against `az login` typically yields access to service principals, subscription-level roles, and automation credentials. That shifts the potential blast radius considerably: from isolated data theft to full cloud-tenant takeover, resource hijacking for cryptomining, or lateral movement into CI/CD pipelines.

Password spray against Microsoft Entra ID — formerly Azure Active Directory — is not new tradecraft. Overlapping techniques have appeared in campaigns previously tracked as Midnight Blizzard by Microsoft's own threat intelligence team, and attributed to APT29 (also known as Cozy Bear) by other vendors. Nothing in the current dataset suggests state involvement here, but the technique has a proven pedigree across the skill spectrum.

"Password spray only works where a second factor doesn't," as security researchers summarize the fundamental arithmetic. The Verizon 2024 Data Breach Investigations Report found that credentials remain the most common attack vector, involved in over 77% of web application breaches — a figure that makes campaigns like this one statistically predictable.

The Conditional Access Gap

Microsoft began a mandatory MFA rollout for Azure sign-ins in late 2024, phasing in requirements across tenant types. Tenants that opted for extensions or carved out exemptions are the most probable victim pool in this incident. That gap is telling.

Many organizations configure Conditional Access policies carefully for browser-based authentication — the login flow employees see every day — then inadvertently leave programmatic authentication paths like CLI and API calls outside the policy scope entirely. The result: an identity that appears fully protected in a compliance dashboard can still be sprayed successfully through a developer tool.

This is precisely the kind of control blind spot that structured security-awareness training addresses, not just for end users clicking phishing links, but for DevOps teams and cloud administrators who make configuration decisions that silently widen the attack surface. When engineers understand *why* CLI auth needs the same MFA treatment as a browser session, policy drift becomes less likely. Train2Secure's training catalog maps these controls directly to NIST SP 800-53 and ISO 27001 requirements.

Which Controls Failed

Three overlapping failures enabled this campaign's success.

First, MFA was absent or unenforced on targeted identities. Password spray is a brute-force technique that is entirely defeated by a second authentication factor. Accounts without MFA are structurally exposed regardless of password complexity.

Second, Conditional Access policies did not cover CLI authentication. Browser-session-scoped policies leave programmatic access paths as an open lane. Azure CLI sign-ins must be treated as their own risk surface — not an afterthought carved out for developer convenience.

Third, IPv6 traffic went unmonitored or unblocked at the network edge. Most threat detection logic is tuned for IPv4. A single `/32` IPv6 allocation generating 81 million attempts over 14 days should have triggered volume-based anomaly alerts long before 78 accounts were breached. If sign-in logs in Entra ID are not filtered to surface high-volume failures from IPv6 sources, that visibility gap needs closing today.

What Defenders Should Do Right Now

  • Pull Entra ID sign-in logs filtered for `Azure CLI` as the client application, then cross-reference failed authentication events from IPv6 addresses not present in your normal traffic baseline.
  • Audit every Conditional Access policy and confirm it explicitly covers CLI and API authentication, not browser sessions alone.
  • Enforce MFA on every identity — user or service principal — authorized to run `az` commands. No exceptions for automation accounts without a compensating control.
  • Disable legacy authentication protocols on the tenant if any remain enabled. Legacy auth bypasses modern CA policy entirely.
  • Treat blocking the LSHIY `2a0a:d683::/32` range as a temporary measure. The operator can pivot ASNs in hours. Durable defense lives in identity controls, not IP blocklists.

Organizations that want a structured framework for auditing cloud identity posture can review Train2Secure's compliance mapping resources for guidance aligned to NIST and CIS benchmarks.

Attribution and Outlook

Huntress continues publishing indicators as the campaign evolves. The source IPv6 space is expected to shift once the current allocation becomes widely blocklisted by enterprise security vendors. Organizations should not treat a quiet sign-in log as confirmation the threat has passed — reassess after any infrastructure pivot.

The broader pattern here is worth internalizing. Eighty-one million attempts over 14 days averages roughly 240,000 attempts per hour. That volume is achievable with commodity tooling and a modest infrastructure budget. The barrier to running a campaign of this scale is low. The barrier to stopping it — enforcing MFA universally and closing programmatic auth gaps — is lower still. Most organizations just haven't done it yet.

For teams evaluating their current training and policy maturity, Train2Secure's pricing page outlines program options scaled to organization size.

How MFA enforcement and policy training could have prevented this

  • Audit all Conditional Access policies to confirm they explicitly cover CLI and API authentication paths, not browser sessions alone.
  • Enforce MFA on every identity authorized to access Azure resources programmatically — including service principals and automation accounts.
  • Train cloud administrators and DevOps engineers to recognize when configuration decisions create authentication blind spots that bypass existing controls.

Train2Secure delivers role-specific security awareness programs that help technical teams understand and close the exact policy gaps attackers count on.

Start free — no card required

Frequently asked questions

What is a password spray attack and why is Azure CLI targeted?

A password spray attack tries a small set of common passwords against a large number of accounts, avoiding lockout thresholds. Azure CLI is targeted because successful authentication grants access to service principals and subscription-level roles — far more valuable than a single user mailbox.

Does blocking the LSHIY IPv6 range stop this threat?

Only temporarily. The operator can shift to a different ASN within hours. Blocking the `2a0a:d683::/32` CIDR is a useful short-term measure, but the only durable defense is enforcing MFA on every identity that can authenticate via `az login` and extending Conditional Access policies to cover CLI sessions.

Why did Conditional Access policies fail to prevent these breaches?

Many tenants scope their Conditional Access policies to browser-based sign-ins and exclude programmatic authentication paths like Azure CLI. Accounts that appear protected in a compliance dashboard can still be sprayed successfully through developer tools if CLI auth is not explicitly included in policy scope.

How do I check whether my tenant was affected?

Open Microsoft Entra ID sign-in logs and filter for 'Azure CLI' as the client application. Look for high-volume failed authentication events originating from IPv6 addresses — particularly the `2a0a:d683::/32` range — between June 12 and June 26, 2025. Any successful sign-ins from that range warrant immediate investigation.

Ready to Reduce Your Human Cyber Risk?

Sign up and start training your team in minutes. No sales calls, no demos — just pick a plan and go. Phishing simulations, video courses, and certificates from day one.

train2secure analytics dashboard showing training completion stats and user progress