
This Cybersecurity Threat Advisory covers a large-scale password and token spray campaign targeting Microsoft Azure CLI authentication flows. Researchers linked the campaign to activity originating from the IPv6 range 2a0a:d683::/32. The range is associated with LSHIY LLC / AS32167. Researchers also observed more than 81 million login attempts between June 12 and June 26, 2026.
What is the threat?
This large-scale Microsoft cloud identity attack targeted Microsoft 365 and Entra ID accounts using a combination of password spraying, credential stuffing, and token-based authentication abuse. Rather than repeatedly attacking a single account, attackers tested a small set of likely valid credentials across many accounts and organizations, helping them evade account lockout controls while identifying weak, reused, or previously compromised passwords.
A key aspect of the campaign was the abuse of legitimate Microsoft authentication mechanisms, including Azure CLI and OAuth authentication flows. By leveraging these trusted tools, attackers could obtain access tokens without triggering all traditional security controls, particularly in environments where MFA or Conditional Access policies were not consistently enforced.
Once access tokens were obtained, attackers could access cloud resources such as Exchange Online, SharePoint, OneDrive, Teams, and other Microsoft services. Because the activity relied on valid credentials and authenticated sessions, it often appeared legitimate, making detection more challenging and increasing the risk of data theft, business email compromise (BEC), phishing, and further compromise of the environment.
Why is it noteworthy?
This campaign is a reminder that MFA alone is not always enough. While many affected organizations had MFA enabled, attackers were able to exploit authentication paths that were not fully protected by Conditional Access policies. As a result, gaps can remain even when organizations believe they have comprehensive identity security in place.
The scale of the activity was significant, with researchers observing more than 81 million login attempts over a two-week period. Rather than relying on malware or endpoint compromise, the attackers leveraged stolen credentials, token-based authentication flows, and policy weaknesses to gain access.
For security teams, this presents a growing challenge. Identity attacks against Microsoft 365 and Entra ID environments continue to increase in scale and sophistication, and because attackers use valid credentials and legitimate applications, malicious activity can often appear indistinguishable from normal user authentication.
What is the exposure or risk?
Organizations that use Microsoft 365, Entra ID, Azure CLI, or Azure-integrated workflows face increased risk. The risk increases when weak passwords, reused credentials, incomplete MFA enforcement, permissive Conditional Access policies, or unblocked ROPC authentication are present.
Successful compromise can allow attackers to:
- Obtain valid access tokens
- Access email and cloud data
- Enumerate users and resources
- Conduct business email compromise (BEC)
- Establish persistence
- Abuse cloud applications
- Move laterally into other SaaS or Azure resources
Because attackers use valid credentials and tokens, their activity may bypass traditional endpoint controls. In many cases, detection requires visibility into identity, sign-in, and audit logs.
What are the recommendations?
Barracuda strongly recommends organizations take the following steps to reduce risk and strengthen identity security.
Enforce MFA broadly and consistently
- Require MFA for all users, not only administrators.
- Apply MFA policies to all cloud applications.
- Include legacy and non-interactive authentication paths.
Block or restrict ROPC and legacy authentication
- Disable legacy authentication where possible.
- Block OAuth ROPC flows that do not support interactive MFA.
Restrict Azure CLI usage
- Limit Azure CLI access to users with a business requirement.
- Restrict Azure CLI for non-admin users where feasible.
- Monitor Azure CLI sign-ins from users who do not typically use developer or administrative tools.
Review Conditional Access coverage
- Identify gaps where MFA applies only to specific applications, locations, or user groups.
- Avoid relying solely on trusted locations.
- Ensure policies are actively enforced and not running in report-only mode.
Hunt for indicators of compromise
- Review Entra ID sign-in logs for Azure CLI activity.
- Look for successful sign-ins after large volumes of failed attempts.
- Investigate non-interactive sign-ins and token issuance events.
- Monitor for traffic associated with 2a0a:d683::/32, AS32167, and related LSHIY infrastructure.
- Review sign-ins from unusual geolocations, new IPv6 addresses, or impossible-travel events.
Reset exposed credentials
- Force password resets for accounts showing suspicious activity.
- Prioritize users whose credentials may appear in breach datasets.
- Revoke active sessions and refresh tokens for suspected compromised accounts.
Improve password and identity hygiene
- Enforce strong password policies and banned password lists.
- Monitor for reused or breached credentials.
- Encourage phishing-resistant MFA methods such as FIDO2 security keys, Windows Hello for Business, or certificate-based authentication.
Prioritize confirmed compromise indicators
- High spray volume alone does not always indicate compromise.
- Prioritize accounts with successful authentication events, token issuance, suspicious session activity, or unusual Azure CLI usage.
References
For more in-depth information about the recommendations, please visit the following links:
- https://securityaffairs.com/194588/uncategorized/azure-cli-targeted-in-lshiy-password-spray-campaign-across-64-orgs.html
- https://thehackernews.com/2026/07/azure-cli-password-spray-hits-at-least.html
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.

