Azure CLI Password Spray Campaign: Defending 81 Million Login Attempts
- [01] Attackers launched 81 million login attempts against Microsoft Entra ID to compromise cloud accounts and gain administrative access.
- [02] Environments using the Azure CLI application ID with weak passwords or lacking multi-factor authentication are specifically targeted in this campaign.
- [03] Enforce phishing-resistant multi-factor authentication and implement conditional access policies to block legacy authentication and suspicious IP ranges.
Overview of the Azure CLI Password Spray Campaign
According to SecurityWeek, security researchers have identified a massive Phishing-adjacent identity attack involving over 81 million login attempts. This campaign leverages infrastructure associated with the hosting provider LSHIY to conduct high-volume password spraying against Microsoft Entra ID (formerly Azure AD). By targeting the Azure CLI, threat actors aim to gain Privilege Escalation and move horizontally across cloud environments.
Technical Analysis: Azure CLI Application ID Security Risks
The core of this TTP involves the systematic testing of common passwords against a vast list of usernames. Unlike traditional brute-force attacks that target a single account with many passwords, password spraying tests a few common passwords against many accounts to avoid account lockout thresholds.
In this specific campaign, the attackers are targeting the well-known Azure CLI application ID (04b07795-8ddb-461a-bbee-02f9e1bf7b46). This is a strategic choice. Many organizations allow this application ID to facilitate developer workflows. By masquerading as legitimate CLI traffic, attackers hope to bypass certain SIEM alerts that might otherwise flag unusual application behavior.
Infrastructure and Attribution
The traffic originates predominantly from LSHIY, a hosting provider that has been frequently linked to malicious activity. The scale of 81 million attempts suggests a highly automated and distributed infrastructure. While a specific APT has not yet been named, the sheer volume indicates a well-resourced threat actor. The primary objective is likely the discovery of accounts with weak credentials that lack multi-factor authentication (MFA). Once an initial foothold is established, attackers often seek Lateral Movement opportunities to access sensitive data or deploy Ransomware.
Azure CLI Password Spray Detection Techniques
Identifying these attempts requires sophisticated SIEM correlation. Because the attempts are distributed across millions of targets and originate from various IP addresses within the LSHIY range, they can appear as background noise rather than a coordinated assault. A SOC must look for patterns of “Sign-in failure: Wrong password” across multiple users originating from the same ISP or targeting the same Application ID within a short timeframe.
Defensive Strategies and Mitigation
Organizations must prioritize identity security to mitigate the risk of account takeover. The most effective defense is the implementation of Zero Trust principles, specifically the “verify explicitly” pillar.
Implementing Conditional Access
To effectively protect Azure accounts from brute force attacks, administrators should implement Conditional Access policies. These policies should:
- Require MFA for all users, ideally using phishing-resistant methods like FIDO2 security keys.
- Block legacy authentication protocols (e.g., POP, IMAP, SMTP) that do not support MFA and are common targets for spray attacks.
- Restrict logins from untrusted or high-risk IP ranges, such as those associated with the LSHIY hosting provider.
Monitoring and Response
Security teams should configure their EDR and cloud monitoring tools to alert on spikes in failed login attempts. Specifically, monitoring the SignInLogs in Entra ID for the Azure CLI app ID is vital. If a successful login occurs after a series of failures, it should be treated as a high-severity IoC and investigated immediately. Defenders should also map these activities to the MITRE ATT&CK framework, specifically focusing on Brute Force (T1110) and Valid Accounts (T1078).
Ensuring that developers follow best practices for Azure CLI application ID security risks involves rotating secrets regularly and using Managed Identities wherever possible to eliminate the need for hardcoded credentials.
Advertisement