A sophisticated password spray campaign dubbed “LSHIY” has targeted Azure Command-Line Interface (CLI) authentication across 64 organizations, generating over 81 million malicious login attempts. Threat actors exploited Azure CLI’s programmatic access capabilities to bypass traditional authentication controls, successfully compromising multiple cloud environments. Organizations using Azure CLI for automation and DevOps operations face elevated risk from this persistent campaign that leverages legitimate tools for unauthorized access.
Introduction
Cloud infrastructure has become a prime target for threat actors seeking scalable attack vectors, and Microsoft Azure’s widespread enterprise adoption makes it particularly attractive. The LSHIY campaign represents a evolution in credential-based attacks, specifically weaponizing the Azure Command-Line Interface—a trusted administrative tool—to conduct massive-scale password spray operations while evading detection mechanisms designed for traditional web-based authentication.
Unlike conventional password spray attacks targeting browser-based Azure portals, LSHIY operators demonstrated sophisticated understanding of cloud administration workflows by focusing on CLI authentication endpoints. This approach provided attackers with reduced visibility, bypassed multi-factor authentication in certain configurations, and enabled automated credential testing at unprecedented scale.
The campaign’s discovery highlights a critical blind spot in many organizations’ cloud security monitoring: programmatic access patterns that differ substantially from human user behavior yet often receive less scrutiny than interactive logins.
Background & Context
Azure CLI serves as Microsoft’s cross-platform command-line tool for managing Azure resources, widely deployed in DevOps pipelines, infrastructure-as-code implementations, and automated cloud management workflows. Its authentication mechanisms support multiple methods including interactive browser-based login, service principals, and managed identities.
Password spray attacks differ from brute-force attempts by testing a small number of commonly used passwords against many user accounts, rather than many passwords against a single account. This technique avoids account lockout policies while maintaining reasonable success rates against organizations with weak password hygiene.
The LSHIY campaign name derives from identifiable patterns in the attack infrastructure and user-agent strings observed during the operation. Security researchers identified coordinated activity spanning multiple months, with attack intensity fluctuating based on target organization characteristics and defensive responses.
Previous Azure-targeted campaigns have primarily focused on web portal authentication or exploitation of misconfigured storage accounts. LSHIY’s CLI-specific approach represents tactical adaptation by threat actors seeking less-monitored attack surfaces within cloud environments.
Technical Breakdown
The LSHIY campaign’s technical implementation reveals careful planning and infrastructure investment by its operators:
Attack Vector: Threat actors specifically targeted Azure CLI authentication endpoints rather than standard Azure Active Directory sign-in pages. Authentication requests utilized Azure CLI’s programmatic login flows, specifically the device code authentication and service principal authentication methods.
Infrastructure: Attackers distributed requests across residential proxy networks and compromised cloud infrastructure, making source IP-based blocking ineffective. Analysis revealed over 1,200 unique IP addresses participating in the campaign across 45 countries.
Target Selection: The 64 victimized organizations spanned multiple industries including technology (28%), finance (19%), healthcare (15%), and manufacturing (12%). Targeting appeared non-random, suggesting prior reconnaissance to identify organizations with Azure CLI usage patterns.
Credential Testing Methodology: The campaign employed an adaptive password spray approach:
# Observed attack pattern
- Initial probe: 3-5 common passwords per account
- Cooldown period: 6-12 hours between attempts per account
- Credential rotation: Password list updated every 72 hours
- Success exploitation: Immediate token harvesting upon valid authentication
Authentication Abuse: Valid credentials enabled attackers to request Azure access tokens via CLI:
# Attacker command pattern (reconstructed from logs)
az login --service-principal -u -p --tenant
az account get-access-token --resource https://management.azure.com/ These tokens provided API access to Azure Resource Manager, enabling environment enumeration and resource manipulation without triggering additional authentication events.
Evasion Techniques: LSHIY operators implemented several detection avoidance measures:
- User-agent rotation mimicking legitimate Azure CLI versions (2.30.0 through 2.53.0)
- Request timing randomization to simulate human operational patterns
- Geographic distribution matching target organization’s known office locations
- Compliance with Azure rate limiting to avoid automated blocking
Impact & Risk Assessment
The LSHIY campaign’s impact extends beyond immediate account compromise, creating cascading security risks:
Immediate Compromise Impact:
- Unauthorized access to cloud resources including virtual machines, databases, and storage accounts
- Data exfiltration capabilities across compromised subscriptions
- Privilege escalation opportunities through role assignment manipulation
- Lateral movement within connected Azure Active Directory environments
Operational Risk:
Organizations face business disruption through:
- Resource deletion or modification causing service outages
- Cryptocurrency mining deployment consuming cloud credits
- Ransomware deployment targeting Azure-hosted workloads
- Supply chain contamination via compromised DevOps pipelines
Financial Exposure:
The 81 million authentication attempts represent significant attacker investment, suggesting high-value targeting objectives. Compromised organizations face:
- Direct financial theft through resource abuse ($500-$50,000 per incident)
- Regulatory fines for data protection failures (GDPR, HIPAA, PCI-DSS)
- Incident response and forensics costs ($75,000-$500,000 average)
- Long-term reputation damage affecting customer trust
Strategic Risk:
CLI compromise provides persistent access that often survives password resets for interactive accounts, as attackers establish:
- Additional service principal accounts with administrative privileges
- Backdoor authentication mechanisms via OAuth applications
- Resource-level access policies bypassing tenant-wide controls
Vendor Response
Microsoft’s security teams have taken multiple actions in response to the LSHIY campaign:
Detection Enhancements: Microsoft deployed updated detection logic to Azure Active Directory Identity Protection, specifically identifying abnormal CLI authentication patterns. These signals now contribute to user risk scoring and conditional access policy evaluations.
Customer Notifications: Affected organizations received Azure Security Center alerts identifying compromised accounts and suspicious CLI activity. Microsoft’s threat intelligence team provided Indicators of Compromise (IOCs) including IP addresses and user-agent patterns associated with the campaign.
Platform Updates: Microsoft enhanced Azure CLI logging capabilities in version 2.54.0 and later, providing improved audit trails for authentication attempts and token requests. Organizations can now track CLI authentication context more granularly through Azure Monitor.
Guidance Publication: Microsoft released security advisories recommending:
- Mandatory multi-factor authentication for all CLI access
- Conditional access policies restricting CLI authentication sources
- Service principal lifecycle management best practices
- Enhanced monitoring for programmatic authentication patterns
Mitigations & Workarounds
Organizations should implement layered defenses against CLI-targeted password spray campaigns:
Immediate Actions:
- Force password resets for all accounts with Azure administrative privileges:
# Review recent CLI authentication activity
az monitor activity-log list --caller --start-time - Audit service principals for unauthorized creations:
# List all service principals created in last 90 days
az ad sp list --filter "createdDateTime ge YYYY-MM-DD" --query "[].{Name:displayName, AppId:appId, Created:createdDateTime}"- Enable Azure AD Identity Protection for risk-based conditional access.
Authentication Hardening:
Enforce MFA for all CLI authentication:
{
"conditions": {
"applications": {
"includeApplications": ["04b07795-8ddb-461a-bbee-02f9e1bf7b46"]
},
"clientAppTypes": ["other"]
},
"grantControls": {
"operator": "AND",
"builtInControls": ["mfa"]
}
}Network Controls:
- Implement conditional access policies restricting CLI authentication to known IP ranges
- Deploy Azure Private Link for management plane access
- Utilize Azure Bastion for administrative operations requiring elevated privileges
Credential Management:
- Transition from password-based service principals to certificate-based authentication
- Implement managed identities for Azure-hosted workloads
- Enforce 90-day maximum credential lifetime for service principals
Detection & Monitoring
Establish comprehensive monitoring for CLI-based authentication anomalies:
Azure Sentinel Detection Rules:
// Detect high-volume CLI authentication attempts
SigninLogs
| where TimeGenerated > ago(1h)
| where AppId == "04b07795-8ddb-461a-bbee-02f9e1bf7b46" // Azure CLI App ID
| summarize FailedAttempts = countif(ResultType != 0),
SuccessfulAttempts = countif(ResultType == 0),
UniqueIPs = dcount(IPAddress) by UserPrincipalName, bin(TimeGenerated, 5m)
| where FailedAttempts > 10 or UniqueIPs > 3Anomaly Indicators:
Monitor for these suspicious patterns:
- CLI authentication from geographically impossible locations within short timeframes
- Sudden increases in CLI usage from historically inactive accounts
- Service principal authentication outside normal business hours
- CLI access token requests for unfamiliar Azure resources
Log Sources:
Enable comprehensive logging:
- Azure AD Sign-in Logs (Premium P1 minimum)
- Azure Activity Logs for resource-level operations
- Azure CLI audit logs (requires version 2.54.0+)
- Network traffic logs for egress monitoring
Alert Thresholds:
Establish baseline-driven alerting:
- More than 5 failed CLI authentications per user per hour
- CLI authentication from IP addresses without previous history
- Service principal usage spikes exceeding 200% of 30-day average
- Token requests for Azure Resource Manager from new client IPs
Best Practices
Implementing comprehensive Azure CLI security requires organizational commitment:
Identity Governance:
- Conduct quarterly access reviews for all service principals
- Implement just-in-time (JIT) privileged access for administrative operations
- Separate service accounts for different automation purposes
- Document all service principals with business justification and ownership
Authentication Architecture:
- Default to managed identities for all Azure-hosted automation
- Utilize certificate-based authentication where passwords are unavoidable
- Implement federated credentials for GitHub Actions and external CI/CD
- Enforce conditional access for all programmatic authentication methods
Security Monitoring:
- Integrate Azure logs with centralized SIEM platforms
- Establish 24/7 monitoring for cloud authentication anomalies
- Conduct monthly reviews of CLI authentication patterns
- Perform quarterly purple team exercises targeting cloud infrastructure
Incident Response:
- Develop playbooks specifically for cloud credential compromise
- Maintain updated asset inventory of all Azure resources
- Establish automated response workflows for high-risk authentication events
- Conduct regular tabletop exercises for cloud security incidents
Developer Security:
- Implement pre-commit hooks preventing credential commits
- Utilize Azure Key Vault for all application secrets
- Enforce code review requirements for infrastructure-as-code
- Provide security training on cloud-specific attack vectors
Key Takeaways
- The LSHIY campaign demonstrates that cloud CLI tools represent high-value targets for credential-based attacks due to reduced monitoring compared to interactive authentication
- 81 million authentication attempts across 64 organizations indicate well-resourced threat actors with significant infrastructure investment
- Azure CLI’s programmatic nature enables attackers to bypass traditional authentication controls and evade detection mechanisms designed for human users
- Organizations must extend zero-trust principles to programmatic access, treating CLI authentication with the same scrutiny as interactive logins
- Managed identities and certificate-based authentication significantly reduce password spray attack surface for cloud automation
- Comprehensive logging and anomaly detection are essential for identifying sophisticated password spray campaigns before widespread compromise
- Multi-factor authentication, while critical, must be properly configured for CLI access to provide meaningful protection
References
- Microsoft Azure CLI Documentation: https://docs.microsoft.com/en-us/cli/azure/
- Azure AD Sign-in Logs Schema: https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-azure-monitor-sign-ins-log-schema
- Azure Identity Protection: https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection
- MITRE ATT&CK T1110.003 – Password Spraying: https://attack.mitre.org/techniques/T1110/003/
- Azure CLI Security Best Practices: https://docs.microsoft.com/en-us/cli/azure/security-best-practices
- Conditional Access for Azure Management: https://docs.microsoft.com/en-us/azure/role-based-access-control/conditional-access-azure-management
Stay updated at https://cydhaal.com — Your Daily Dose of Cyber Intelligence.
📧 Subscribe to our newsletter at https://cydhaal.com/newsletter/