Azure CLI Under Sustained IPv6 Password Spray; 78 Tenants Breached
Automated spray campaign from a single ASN burned through 81 million auth attempts in two weeks, hitting az login endpoints from an unusual IPv6 range.

A password spray campaign targeting Microsoft's Azure command-line interface has compromised at least 78 accounts across an estimated 81 million-plus authentication attempts, according to telemetry from Huntress.
The activity ran between June 12 and June 26. Traffic sourced from a single IPv6 range — 2a0a:d683::/32 — attributed to internet infrastructure provider LSHIY LLC, operating as AS32167.
That sourcing is unusual, and worth pausing on.
Most commodity spray operations rotate through residential proxy networks or bulletproof hosting fronts to blend into normal auth noise. Concentrating 81 million attempts inside a single /32 IPv6 allocation is either operationally sloppy or a deliberate bet that defenders aren't blocking on IPv6 CIDRs. Huntress hasn't tied the traffic to a named cluster, and there's no public attribution to a tracked actor at time of writing. Treat this as unattributed criminal activity at low-to-medium confidence pending overlapping infrastructure or tooling data from other vendors.
The targeting choice matters more than the volume. Azure CLI (az login) is a developer and administrator surface. Successful auth against it typically means access to service principals, subscription-level roles, or automation credentials — not just a mailbox. That shifts the blast radius from data theft to cloud tenant takeover, resource hijacking for cryptomining, or lateral movement into CI/CD.
Password spray against Entra ID (formerly Azure AD) is not new tradecraft. Overlapping TTPs have shown up in campaigns previously tracked as Midnight Blizzard by Microsoft and APT29 / Cozy Bear by other vendors, though nothing in the current dataset suggests state involvement. Capability here is low. Intent looks financially motivated or opportunistic.
What defenders should check now:
- Sign-in logs in Entra ID filtered for
Azure CLIas the client app, with failed auth from IPv6 sources you don't recognize. - Conditional Access policies that actually cover CLI logins. Many tenants scope CA to browser sessions and leave programmatic auth exposed.
- Any service principal or user account without MFA enforcement. Password spray only works where a second factor doesn't.
- Legacy authentication protocols still enabled on the tenant.
Microsoft has been progressively tightening defaults, including the mandatory MFA rollout for Azure sign-ins that began phasing in during late 2024. Tenants that opted for extensions or carve-outs are the likely victim pool here.
Blocking the LSHIY range at the network edge is a stopgap. The operator can pivot ASNs in hours. The durable fix is MFA on every identity that can touch az, followed by Conditional Access that treats CLI auth as its own risk surface rather than an afterthought.
Huntress is continuing to publish indicators. Expect the source IPv6 space to shift once the current allocation gets widely blocklisted.



