blindthoughts
breaking

Ongoing Azure CLI Password Spray Has Compromised 78+ Accounts — Act Now

What Happened

Security researchers at Huntress have documented a massive, automated password spray campaign targeting Microsoft Azure command-line interface (CLI) accounts. The operation has logged more than 81 million authentication attempts and has confirmed at least 78 compromised Microsoft accounts as of publication. All traffic originates from a single IPv6 address block — 2a0a:d683::/3 — indicating a coordinated, infrastructure-backed operation, not opportunistic scanning.

The campaign targets Azure CLI sign-in endpoints specifically, cycling through common or previously-breached credentials at machine speed across a wide target list.

Why It Matters

Azure CLI credentials are among the most dangerous account types to lose. Unlike browser-based SSO sessions, CLI tokens are routinely embedded in automation: CI/CD pipelines, deployment scripts, infrastructure-as-code tooling, and scheduled jobs. A compromised CLI identity can quietly exfiltrate data, provision compute, tamper with storage, or pivot into connected services — without triggering the same alerts as an interactive login.

The IPv6 sourcing is tactically significant. Many organizations built their firewall rules, conditional access policies, and SIEM detections around IPv4 threat intelligence. Traffic from IPv6 ranges frequently slips through legacy policies that were never updated, or is absent from geo-anomaly and impossible-travel rules that watch for suspicious logins.

With 81 million attempts still ongoing and 78 confirmed breaches, this is not a threat to put in the backlog. It requires a response today.

What to Do

1. Audit sign-in logs immediately. In Microsoft Entra ID, filter sign-in logs for the IPv6 range 2a0a:d683::/3. Flag any successful authentications, especially for service principals and accounts with CLI scopes.

2. Enforce MFA on all Azure CLI-capable accounts. Password spray only works against password-only authentication. Entra ID Conditional Access can require phishing-resistant MFA (FIDO2 or Authenticator App) for CLI sign-ins specifically. Get this in place before you do anything else.

3. Enable Entra ID Identity Protection if not already active. The leaked-credentials and password-spray risk detections can auto-remediate affected accounts. If Identity Protection is already enabled, open the Risk Detections dashboard now and triage any flagged accounts.

4. Block IPv6 at the Conditional Access layer if your organization has no legitimate IPv6 Azure traffic. A policy denying sign-ins from IPv6 ranges stops this campaign's infrastructure immediately. This is a low-risk, high-return control for most enterprise tenants.

5. Treat any confirmed-hit accounts as fully compromised. Rotate secrets, revoke all active sessions, and review the audit log for what those credentials touched. Assume lateral movement until the audit proves otherwise.

6. Right-size service principal permissions. Pipelines commonly run with over-privileged roles accumulated over time. Use this incident as a forcing function to scope them to least-privilege — before an attacker uses one of these accounts to do something irreversible.

Sources
  1. Azure CLI Password Spray Hits at Least 78 Microsoft Accounts in 81M+ Attempts

Synthesized by Claude · sanity-checked before publish.

Share:𝕏inr/HN🦋@
Was this useful?