Cybersecurity researchers have uncovered a massive automated password spray attack targeting Microsoft's Azure command-line interface (CLI). According to a report from Huntress, the campaign has compromised at least 78 Microsoft accounts, part of a broader effort involving over 81 million authentication attempts.

The attack originates from an IPv6 address range (2a0a:d683::/32) controlled by internet infrastructure provider LSHIY LLC (AS32167). Huntress characterized the activity as a 'massive, ongoing, automated password spray attack,' indicating a sustained and methodical threat rather than a brief intrusion.

Password spray attacks differ from brute-force methods: instead of trying many passwords against a single account, attackers attempt a few common passwords across thousands of accounts. This approach reduces detection risk while still compromising weak credentials. The Azure CLI, a cross-platform tool for managing Microsoft cloud resources, presents a high-value target for such tactics.

The attack window spans from June 12 to June 26, according to Huntress. Infected accounts could give adversaries access to cloud resources, data, and downstream systems. Organizations using Azure CLI without multi-factor authentication are particularly vulnerable.

Microsoft has not yet issued a public statement on the campaign. Huntress recommends that organizations enforce multi-factor authentication, monitor for unusual sign-in activity, and audit Azure CLI usage logs for signs of compromise. No attribution to a specific threat group has been made, and the full scope of impacted customers remains under investigation.