Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs
ID: 39c75388-8686-5830-8bfb-eacc435382b3
STIX ID: report--39c75388-8686-5830-8bfb-eacc435382b3
Feed Name: Security Affairs
Huntress observed a massive automated password-spray campaign (termed LSHIY) since June 12, 2026 that made ~81 million login attempts against Microsoft Azure CLI/OAuth ROPC endpoints, compromising 78 accounts across 64 organizations. Traffic originates from IPv6 range 2a0a:d683::/32 (LSHIY, AS32167/AS955); attackers replayed breached credentials against the ROPC flow which does not trigger modern MFA, allowing bypasses where Conditional Access Policies were partial or misconfigured. Recommended mitigations include blocking ROPC (enable userStrongAuthClientAuthNRequired), enforce Conditional Access across all users/apps/client types, restrict Azure CLI for non-admins, and prioritize detection by credential validity.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
