Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs


Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs

Pierluigi Paganini
July 01, 2026

Huntress researchers have been tracking a massive automated password spray campaign against Microsoft Azure CLI environments since June 12, 2026.

A password spray attack is when attackers try a small number of common passwords across many accounts instead of many passwords on one account. This helps avoid lockouts while exploiting weak or reused passwords. It is often used in large-scale account takeover attempts.

In fourteen days, the attackers made over 81 million login attempts against Huntress customer accounts and successfully broke into 78 Microsoft accounts across 64 organizations. Last week the pace accelerated sharply: on June 22 alone, 30 user accounts across 23 businesses were compromised in a single day.

The traffic originates almost entirely from the IPv6 range 2a0a:d683::/32, controlled by LSHIY LLC, an internet infrastructure provider registered to AS32167.

“LSHIY operates to distinct ASNs: in addition to AS32167 (which was registered June 14, 2021), it also operates AS955 (registered June 22, 2022). Third parties report that the IPv6 ranges associated with both of these autonomous systems originate in China. Upon further investigation into this IPv6 range of interest, Huntress found specific IPv6 addresses in that range that were recent, including one from a maintainer created on June 11, 2026.” reads the report published by Huntress.

LSHIY lists business addresses at two factory buildings in Hong Kong and Wuhan, and one at a shared office rental space in New York. Huntress reported the activity through the company’s abuse channel, but it received no reply.

The attacker’s method is straightforward and effective. They replay old username and password combinations from breach data against the OAuth ROPC flow, the Resource Owner Password Credentials grant type, which sends credentials directly to the /token endpoint with no interactive MFA prompt.

“In the campaign, threat actors replayed validated credentials via the OAuth ROPC (Resource Owner Password Credentials) flow. ROPC is an OAuth 2.0 grant type that has been deprecated in OAuth 2.1. This auth flow takes a username/password at the /token endpoint for a tenant and mints a new user-delegated token once provided with the correct credentials.” continues the report. “This matters because many of the compromised businesses had implemented multi-factor authentication (MFA) via a Conditional Access Policy (CAP), but the MFA was not configured to cover this specific flow that attackers used. “

No MFA challenge fires because ROPC doesn’t support modern authentication flows, making it an effective bypass for organizations that haven’t specifically blocked it.

Here’s the part that should make every Microsoft 365 admin uncomfortable. Of the 23 businesses hit on June 22, 15 had MFA enforced via Conditional Access Policy. It didn’t help them.

“When analyzing the June 22 spike in attacks that impacted 23 businesses, we found that 15 of those companies had MFA implemented and enforced via CAP.” states the report.”However, while these organizations thought they were protected by MFA, the MFA did not fire for various reasons during this campaign.”

Some had MFA scoped to specific apps like Microsoft Admin Portals rather than all cloud apps. Others enforced MFA only for admin accounts, not regular users. Several triggered MFA only from untrusted locations, and the attacker’s IP addresses — inconsistently geolocated between China and Nebraska depending on the tool, slipped through the trusted location check. Two organizations had MFA in report-only mode, meaning it was set up but never enforced. Eight impacted businesses had no MFA policy at all.

The volume of this type of attack is not new but it’s growing fast. In the past six months, Huntress has seen credential spray attacks increase by over 155 times across its customer base, with a current mean of roughly 1,964 failed attempts per month per protected tenant. The targeting appears purely opportunistic, driven by which credentials appear most frequently in compromised password lists rather than by business sector or size.

The fix is not complicated but requires precision. Conditional Access Policies need to cover all users, all cloud apps, and all client app types without exceptions, partial coverage is what this campaign exploits. Enabling the userStrongAuthClientAuthNRequired setting enforces strong authentication at the client level and blocks ROPC flows outright. Restricting Azure CLI access for non-admin users removes another attack surface. And on the detection side, Huntress notes that triggering response based on spray volume alone points defenders at the most-sprayed and least-compromised tenants; prioritizing by credential validity is more effective.

“One glaring error here is that legacy protocols like ROPC can bypass some poorly-configured CAPs entirely since they don’t go through the authorization endpoint where policies are enforced. However, some of the other issues outlined above – such as misconfigured trusted locations or user groups – can also lead to gaps.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, password spray campaign)







Source link

Leave a Reply

Subscribe to Our Newsletter

Get our latest articles delivered straight to your inbox. No spam, we promise.

Recent Reviews


Microsoft has spent the last several years pushing Copilot and new user interface designs, which has meant that several great features included with Windows don’t get the recognition that they deserve. These are some of my favorites that will run on any Windows 11-compatible PC.

Clipboard history remembers everything you copy

Win+V replaces one of the oldest frustrations in computing

Windows’s default clipboard has been a source of minor but constant annoyance: it holds exactly one thing. If you copy something new, the previous item is wiped out. It is enough of a problem that multiple third-party apps were created to address the shortcoming.

Now, Windows has Clipboard History built in, though it isn’t enabled by default. To turn it on, press Windows+i, then navigate to System > Clipboard, and click the toggle next to Clipboard history.

Once it is enabled, you can press Win+V to view up to 25 items in your clipboard history, including text, images, and links.

If you have specific pieces of information you use daily—like an email signature, a common code snippet, or a home address—you should pin up some of those items. Pinned items persist between system reboots and clipboard history clears, which means you never have to hunt to find something when you need it.

You can even enable sync in the Clipboard settings, allowing your copied text to follow you between different PCs signed in to the same Microsoft account. Once you get into the habit of using Win+V, the standard copy-paste function will feel useless by comparison.

Voice typing actually works now

Win+H lets you write with your voice

Notepad with Windows Voice Typing popup visible.

Windows dictation software has a reputation for being clunky and difficult to use, but that isn’t the case anymore. Thanks to the improvements in AI that we’ve seen since 2024, voice typing accuracy has improved significantly, especially for technical vocabulary. You don’t have to spend your time manually fixing formatting either. The tool supports punctuation commands like “period,” “new line,” and “question mark,” which prevents your text from turning into a rambling mess.

To use voice typing, press Windows+H anywhere there is a text field.

While it isn’t a full replacement for high-end professional software, it is free, built-in, and more than good enough for long-form writing, taking down a sudden idea, or writing quick messages when your hands are full.

Snap layouts make window management effortless

Hover over the maximize button and pick a layout

Notepad with the Windows Snap Layout window visible.

You can manually drag windows to the edges of your screen to split your display up, but you’re doing more work than is necessary in most cases. Windows’ Snap Layouts allow you to instantly arrange your Windows into predefined halves, thirds, or quarters. Just hover over the maximize button on any window or press Win+Z.

One of the most practical aspects of this system is the Snap Group. If you snap a browser and a document side-by-side, Windows remembers them as a pair. When you Alt+Tab, you can bring the entire group back together.

Live captions transcribe any audio on your device

Real-time subtitles for anything you’re watching

You can enable real-time subtitles for any audio playing through your speakers by going to Settings > Accessibility > Captions, or by pressing Win+Ctrl+L. The audio is processed locally on your device; nothing is sent to the cloud, which is critical if you’re privacy conscious or if whatever you’re captioning demands confidentiality.

I’ve mostly taken to using it when it is too hot to wear my headphones. I can just toggle it on and keep watching without disrupting anyone around me.

There are some hardware requirements you need to meet. Basic same-language captioning works on any Windows 11 PC running 22H2 and up, but if you want real-time translation, you will need Copilot+ hardware with an NPU and at least Windows 11 24H2.


The NZXT Capsule Elite USB microphone sitting on a desk.


Windows 11’s voice typing convinced me to skip Wispr Flow and other premium apps

Windows lets me turn my rambling thoughts into notes without typing anything.

Dynamic Lock locks your PC when you walk away

Pair your phone via Bluetooth and your computer can lock itself automatically

I can’t count how many times I’ve stepped away from my PC only to think, “Dang, I forgot to lock my PC.”

Fortunately, Windows has an easy way to handle that automatically by pairing your phone with your PC. When your phone gets out of range (about 20 feet in my house, though your wall materials and layout will affect that), your computer will automatically lock after about 30 seconds. There is no need to install a separate app on your phone, the setup just uses the Bluetooth connection itself. While the 30-second delay means it isn’t a guarantee no one can access my PC, it does mean it won’t remain unlocked if I step away for a long time.

I especially like this feature when I’m working on my laptop in public.

You can enable Dynamic Lock by navigating to Settings > Bluetooth & devices and pairing your phone, then enabling Dynamic Lock in Settings > Accounts > Sign-in options.


Microsoft includes tons of great tools if you dig for them

These tools aren’t alone either. There are tons of practical tools buried in Windows, unappreciated and underutilized.

Each of these tools takes less than a minute to enable, but they can make a significant difference in your day-to-day workflow. It is worth the small investment of time to find them and set them up.

If you’re looking for even more advanced customization options, I’d recommend checking out Microsoft PowerToys. It gives you a huge range of fantastic tools that make Windows much more pleasant to use.



Source link