Huntress Documents 81M+ Azure CLI Password-Spray Attempts Against 78 Microsoft Accounts

A scale-significant Azure CLI credential-attack campaign — defender teams stay in account-hardening posture this week.

Share

Key Takeaways

  • Security firm Huntress on July 1, 2026 published research documenting a large-scale automated password-spray campaign directed at Microsoft's Azure command-line interface (CLI), reporting at least 78 accounts affected across more than 81 million login attempts observed between June 12 and June 26, 2026.
  • Huntress said the activity originated from the IPv6 range 2a0a:d683::/32, which it attributes to internet infrastructure provider LSHIY LLC (AS32167); the disclosure is defender-framed, centered on the observed indicators and on account-hardening guidance rather than on any novel technique.
  • The research leaves several questions open: no named threat actor or cluster is confirmed, Huntress did not indicate that Microsoft issued a formal advisory, affected customer sectors were not characterized, and there is no confirmation that Microsoft coordinated with LSHIY LLC.

A scale-significant Azure CLI credential-attack campaign — the numbers, the indicators, and the account-hardening moves that matter this week.

ELLICOTT CITY, MARYLAND — Security firm Huntress on July 1, 2026 published research documenting a large-scale automated password-spray campaign aimed at Microsoft's Azure command-line interface (CLI), reporting that at least 78 accounts were affected across more than 81 million login attempts observed between June 12 and June 26, 2026. The disclosure is defender-oriented: Huntress framed its writeup around the volume of the activity, the network indicators tied to it, and the account-hardening and detection steps defenders can take now, rather than around any newly discovered flaw in Microsoft's platform.

The campaign is notable less for novelty than for scale. According to Huntress, the traffic originated from the IPv6 range 2a0a:d683::/32, which the firm attributes to internet infrastructure provider LSHIY LLC (AS32167). The scale — 81 million-plus attempts over a roughly two-week window against Microsoft-account and Azure-tied identities — places the activity among the more consequential credential-pressure events of the period, and it lands as a reminder that identity remains the front line. It arrives alongside other identity-centric coverage this year, including the Tycoon2FA OAuth device-code variant that turns Microsoft's own login page against M365 tenants.

At a Glance
FieldDetails
SourceHuntress research disclosure, published July 1, 2026
WhatLarge-scale automated password-spray campaign targeting Microsoft's Azure CLI
Accounts affectedAt least 78
Login attemptsMore than 81 million
Observation windowJune 12 to June 26, 2026
Origin (network)IPv6 range 2a0a:d683::/32
Infrastructure providerLSHIY LLC (AS32167)
Threat actorNot attributed
FramingDefender-focused: indicators plus account-hardening guidance

What Huntress Documented

In its research writeup, Huntress described a sustained, high-volume password-spray campaign directed at Microsoft's Azure command-line interface. The firm reported at least 78 affected accounts and more than 81 million login attempts observed across a window running from June 12 to June 26, 2026. Those two figures — 78 accounts and 81 million-plus attempts — are the anchor numbers of the disclosure, and Huntress presented them as observed telemetry from its own visibility rather than as an estimate of the campaign's total reach.

The activity, as Huntress documented it, originated from the IPv6 range 2a0a:d683::/32. The firm attributed control of that range to internet infrastructure provider LSHIY LLC, operating under autonomous system number AS32167. Consolidating the traffic to a single, clearly notated IPv6 block is significant for defenders because it converts a diffuse-looking flood of failed logins into a concrete, blockable indicator — the kind of network artifact that can be fed directly into detection rules and conditional-access decisions.

Consistent with a defender-first disclosure, Huntress centered its writeup on what security teams can observe and act on: the scale of the attempts, the network origin, and the hardening posture that reduces exposure. The research did not present the campaign as evidence of a new vulnerability in Microsoft's platform, and The CyberSignal is not reconstructing how the spray was executed. The reader takeaway Huntress emphasized is operational — treat this as a period of elevated credential pressure on Azure- and Microsoft-account identities, and verify that account defenses are configured to withstand it.

Defender Posture for Azure and Microsoft-Account Customers

For organizations that rely on Azure and Microsoft accounts, the practical response to a campaign of this scale is account hardening, not alarm. The single most durable control against password spraying is phishing-resistant multi-factor authentication applied broadly and enforced without exception. Spray campaigns succeed by trying common or previously exposed passwords across many identities at high volume; strong, universally enforced MFA breaks that model by ensuring a correct password alone is never sufficient to complete a sign-in.

Beyond MFA, the hardening checklist for this moment is familiar and worth re-running end to end: confirm that conditional-access policies apply to the identities and sign-in paths that matter, prioritize administrative and other high-value accounts for the strongest protections, and review any legacy or non-interactive authentication paths that may not receive the same scrutiny as interactive browser logins. The recurring lesson across credential-attack coverage — from recovery-key phishing to device-code abuse — is that attackers gravitate to the authentication surface that is least consistently defended, a pattern also visible in the Signal recovery-key phishing wave that targeted online backups.

It is also worth situating this campaign in the broader shift in how attackers get in. Verizon's latest Data Breach Investigations Report found that vulnerability exploitation has narrowly overtaken credential theft as the leading initial-access vector — but credentials remain a close and enduring second, and mass password-spray activity like this is exactly why. The through-line for defenders is that identity hardening and patch discipline are complementary, not competing, priorities; the 2026 DBIR's finding on exploitation overtaking credential theft sharpens rather than softens the case for locking down accounts.

Detection-Engineering Review Per the Published Indicators

The concrete indicators in Huntress's research support a focused detection-engineering review. The clearest artifact is the network origin: the IPv6 range 2a0a:d683::/32, attributed to LSHIY LLC (AS32167). Detection and blocking teams can use that notation directly — as a candidate block-or-alert entry at the network edge and identity provider, and as a filter for hunting across historical sign-in logs to gauge whether a given tenant saw related traffic during the June 12 to June 26 window.

The second detectable signature is behavioral rather than address-based: the sheer volume. A campaign generating more than 81 million attempts against a defined set of accounts produces a distinctive pattern of high-rate authentication failures spread across many identities. Detection content keyed to that shape — anomalous spikes in failed sign-ins, especially concentrated from a single autonomous system or IPv6 prefix — will generalize beyond this specific campaign, because the behavior, not the source address, is what future spray operators reuse.

Preserving the exact indicators matters for this kind of review. The affected-account count (at least 78), the attempt volume (more than 81 million), the observation window (June 12 to June 26, 2026), and the IPv6 notation (2a0a:d683::/32) are the load-bearing facts a detection engineer needs to scope a hunt and tune alerting. Teams should treat the range as one indicator among several — useful now, but secondary over time to detections built around the underlying high-volume, low-success authentication pattern.

Scope and Impact

The reported scope is bounded by what Huntress could observe. The firm documented at least 78 affected accounts and more than 81 million login attempts across the June 12 to June 26 window — figures drawn from its own telemetry, and therefore a floor on the activity rather than a definitive measure of the campaign's full footprint across the internet. Huntress did not characterize the sectors or industries of the affected customers, so the disclosure does not support conclusions about targeting by vertical.

The impact framing in the research is proportionate to that scope. A password-spray campaign at this volume represents sustained credential pressure on Microsoft-account and Azure-tied identities, which is precisely why the practical response is account hardening rather than emergency remediation of a specific flaw. The disclosure does not describe confirmed downstream compromise beyond the affected-account figure Huntress reported, and it does not attribute a specific outcome — data theft, lateral movement, or otherwise — to the activity.

For defenders, the useful way to read the numbers is as a scale signal. Eighty-one million-plus attempts concentrated in a two-week window against a single authentication surface is a strong indicator of automated, opportunistic credential testing at industrial scale — the kind of background pressure that never fully recedes and that rewards organizations whose identity defenses are configured to absorb it without incident.

Response and Attribution

On attribution, the research is deliberately restrained. Huntress tied the traffic to the IPv6 range 2a0a:d683::/32 and to LSHIY LLC (AS32167) as the controlling infrastructure provider, but it did not name a threat actor or assign the campaign to a known cluster. Identifying the network origin is not the same as identifying the operator, and the disclosure stops short of the latter — an appropriately cautious posture given the evidence Huntress presented.

On response, the disclosure is a vendor research writeup rather than a coordinated advisory. Huntress did not indicate that Microsoft issued a formal advisory in connection with the campaign, and there is no confirmation that Microsoft coordinated with LSHIY LLC on the traffic. Those absences are not evidence that such steps did not occur; they are simply not established by the research, and defenders should treat the writeup as an independent-visibility disclosure whose value lies in its indicators and guidance.

That leaves a defined set of open questions. No named threat actor or cluster is confirmed; whether Microsoft issued a formal advisory is not established; the affected customer sectors are not characterized; and whether Microsoft coordinated with LSHIY LLC is not confirmed. Each of these could be clarified by follow-on reporting or a subsequent vendor statement, but at the time of Huntress's disclosure they remain unresolved — and none of them changes the immediate, defender-facing takeaway that account hardening is the response the evidence supports.


The CyberSignal Analysis

The reported facts above are Huntress's; what follows is The CyberSignal's editorial reading of what defenders should take from them. None of the judgments below are new reported facts.

Signal 01 — Scale Is the Story, and the Story Is Account Hardening

The figure that anchors this disclosure is not the 78 affected accounts but the 81 million-plus attempts behind them. That ratio is the whole point: a vanishingly small success rate against an enormous volume of tries is the defining signature of automated password spraying, and it tells defenders exactly which control matters. Our reading is that a campaign at this scale is best treated not as an event to respond to but as ambient pressure to be configured against in advance.

The practical implication is that the return on strong, universally enforced MFA is highest precisely against attacks like this one. Spraying is a bet that somewhere in a large identity estate a correct password will line up with an under-protected account. Phishing-resistant MFA applied without exception is the control that makes that bet unprofitable, which is why we read Huntress's guidance as pointing squarely at hardening rather than at any novel remediation.

Signal 02 — A Single IPv6 Prefix Is a Gift, but a Perishable One

Huntress's consolidation of the activity to the 2a0a:d683::/32 range attributed to LSHIY LLC (AS32167) is genuinely useful — a clean, blockable network indicator is far more actionable than a diffuse flood of failed logins. Our assessment is that defenders should absolutely use it: block or alert on the prefix, and hunt historical sign-in logs against it for the June 12 to June 26 window.

But we would caution against over-indexing on the address. Network origins are the most perishable class of indicator; an operator can shift prefixes or providers with far less effort than it takes to change the underlying behavior. The durable detection is the one keyed to the pattern — high-rate authentication failures across many identities from a concentrated source — because that is what the next campaign reuses even after this specific IPv6 block goes cold.

Signal 03 — Restraint on Attribution Is a Feature, Not a Gap

Huntress named a network range and an infrastructure provider but stopped short of naming a threat actor, and we read that restraint as a strength of the disclosure rather than an omission. Tying traffic to an IPv6 prefix and an autonomous system is an evidentiary claim the telemetry can support; assigning the campaign to a named cluster is a different and heavier claim that the presented evidence does not underwrite.

For defenders, the attribution gap is also operationally irrelevant. The account-hardening response the research supports is identical whether the operator is a known cluster or an anonymous one. Our view is that the open questions Huntress leaves — actor identity, any Microsoft advisory, affected sectors, and coordination with LSHIY LLC — are worth tracking as reporting develops, but none of them should delay the hardening work the indicators already justify.


Sources

TypeSource
PrimaryHuntress — No (Bad) CAP: Inside an Ongoing LSHIY Password Spray Attack
ReportingThe Hacker News — Azure CLI Password Spray Hits at Least 78 Microsoft Accounts in 81M+ Attempts
RelatedThe CyberSignal — Tycoon2FA OAuth Device-Code Variant Against M365
RelatedThe CyberSignal — Signal Recovery-Key Phishing Wave Targets Online Backups
RelatedThe CyberSignal — Verizon DBIR 2026: Vulnerability Exploitation Overtakes Credential Theft
RelatedThe CyberSignal — Germany Blames Russia for Signal Phishing Attacks on MPs