Over 81 million login attempts were recorded in a recent password spraying campaign against the Azure CLI, which successfully compromised at least 78 Microsoft accounts, according to reports published around July 1, 2026. This incident shows the persistent vulnerability of cloud management interfaces to credential-based attacks, even against well-resourced platforms. Attackers continue to target command-line tools, recognizing their privileged access and potential for deep environmental control. This is not an exploit of a zero-day but a direct attack on authentication mechanisms, showing the need for strong identity controls beyond perimeter defenses.

What Happened

A widespread password spraying campaign recently hit the Azure Command Line Interface (CLI), leading to the compromise of at least 78 Microsoft accounts. Over 81 million unauthorized login attempts were recorded, as reported by SecurityWeek and The Hacker News around July 1, 2026. This is not a vulnerability exploit; it is a direct assault on user credentials using common password lists against a broad set of accounts.

The campaign focused specifically on the Azure CLI, a critical tool for managing Azure resources programmatically. Attackers cycled through a relatively small number of commonly used passwords, attempting to find a match across a massive pool of Azure accounts. This "low and slow" approach often bypasses simpler brute-force detection mechanisms that focus on multiple failed attempts against a single account. The incident highlights that even with advanced security tooling, the human element of password choice remains a significant attack surface for cloud environments.

Why It Matters

The compromise of Azure CLI accounts is a direct threat to an organization's cloud infrastructure. An attacker with access to an Azure CLI account can execute arbitrary commands, potentially leading to unauthorized resource provisioning, data exfiltration, or even the deletion of critical services. 78 compromised accounts, while a small fraction of the 81 million attempts, represent 78 potential entry points into potentially high-privilege cloud environments.

This type of attack bypasses traditional network perimeter security. If an account has administrative privileges, an attacker could escalate privileges, create new backdoors, or pivot laterally into other interconnected services. Gaining access to the CLI effectively hands an attacker the keys to parts of your Azure tenant, which can have downstream effects on linked applications and data stores. It is a direct path to the control plane, making it a high-value target for attackers.

Affected Scope & Remediation

Any organization relying on Azure CLI for resource management is exposed to this type of password spraying attack if their accounts lack strong authentication controls. The attack itself does not target specific versions of the Azure CLI tool, but rather the underlying Microsoft accounts used for authentication. This means all versions of Azure CLI are theoretically "affected" if the associated user accounts are vulnerable to weak passwords and lack proper MFA.

Immediate remediation steps are critical:

  1. Enforce Multi-Factor Authentication (MFA): This is the single most effective defense against password spraying. Require MFA for all Azure user accounts, especially those with administrative or privileged access to the Azure CLI. Consider hardware keys like YubiKey for the strongest protection.
  2. Implement Conditional Access Policies: Configure Azure AD Conditional Access policies to block sign-ins from suspicious locations, unknown devices, or legacy authentication protocols. You can also enforce MFA for specific roles or access to sensitive applications.
  3. Strengthen Password Policies: Implement strict password length, complexity, and rotation requirements. Consider tools like 1Password or Bitwarden to enforce unique, strong passwords across your organization.
  4. Monitor Azure AD Sign-in Logs: Regularly review Azure AD sign-in logs for unusual patterns, such as multiple failed login attempts from a single IP address across many accounts, or successful logins from atypical geographical locations.
  5. Account Lockout Policies: Ensure aggressive account lockout policies are in place to prevent rapid-fire attempts against individual accounts, even if password spraying typically tries to avoid triggering these.
  6. Principle of Least Privilege: Audit and reduce the permissions granted to Azure CLI user accounts to the absolute minimum required for their function. This limits the blast radius of a successful compromise.
Metric Value Source
Attack Type Password Spray SecurityWeek
Attempts Made 81 million The Hacker News
Accounts Compromised 78 accounts The Hacker News
Initial Report Date Recent The Hacker News
Primary Target Azure CLI SecurityWeek
Key metrics chart for Azure CLI Targeted in Massive Password Spray Campaign
Key metrics — data from sources cited above
Source: thehackernews.com
Source: thehackernews.com

Technical Breakdown

This campaign used password spraying, a common credential attack technique. Instead of attempting many passwords against a single account (brute-force), attackers try one or a few common passwords against a large number of accounts. Imagine trying one master key in every door on a long corridor, hoping it fits some of them, rather than trying a whole ring of keys on just one door. This method often evades traditional account lockout mechanisms designed to thwart rapid, repeated failed attempts on a single user.

The attackers used the Azure CLI as their entry point, which authenticates against Azure Active Directory (Azure AD). When a user runs an az command, the CLI initiates an authentication flow, typically involving a browser-based login or device code flow. The attackers automated these authentication attempts against the Azure AD endpoint backing the CLI. They were not exploiting a flaw in the CLI tool itself, but rather the human tendency to use weak or reused passwords.

Once an account is compromised, the attacker has a T1078 Valid Accounts credential, enabling them to bypass initial authentication steps. From there, they can perform actions directly through the CLI, effectively acting as the legitimate user. The initial access technique aligns with T1110 Brute Force, specifically T1110.003 Password Spraying. Organizations need strong controls around IA-2 Identification and Authentication (Organizational Users) and IA-5 Authenticator Management to counter such attacks. Additionally, good AC-2 Account Management practices, including regular auditing of account permissions and activity, are critical to minimize impact post-compromise.

Historical Context

This Azure CLI password spraying campaign echoes previous large-scale credential-based attacks. In January 2024, a significant credential stuffing attack was widely reported, impacting numerous online services and leading to millions of compromised accounts. That incident, unlike the current Azure CLI attack, involved attackers taking stolen username-password pairs from one service and attempting them across many other services. This is credential stuffing, leveraging leaked credentials.

The Azure CLI incident, however, specifically used password spraying, where attackers attempt a small set of commonly known passwords against a large list of usernames. While both methods fall under credential-based attacks, the spraying technique often relies on public intelligence on common passwords rather than previously leaked data. The commonality lies in the exploitation of weak authentication practices and the sheer volume of attempts required to find a few successful compromises.

Data at a Glance

Metric Value Source
Attack Attempts 81 million The Hacker News
Accounts Compromised 78 accounts The Hacker News
Success Rate 0.000096% Calculated from 78/81M
Attack Vector Password Spray SecurityWeek
Initial Report Date Within 48 hours The Hacker News (from research brief)
Primary Target Platform Azure CLI SecurityWeek

The CVEDaily Take

The low success rate of 0.000096% might seem insignificant, but the fact that 78 accounts were compromised out of 81 million attempts shows a critical failure in basic identity hygiene for the affected organizations. We believe this number of compromised accounts is likely an underestimation of the true impact, as many organizations may not yet have detected such breaches or reported them publicly. The real concern is not just the quantity, but the potential quality of those 78 accounts – a single highly privileged account can grant an attacker full control over an entire cloud environment.

When did your team last audit activity logs for suspicious Azure CLI login attempts and review your MFA enforcement policies for administrative accounts?

FAQ

Q1: What is Azure CLI?
A1: The Azure CLI is a cross-platform command-line tool used to connect to Azure and execute administrative commands on Azure resources. It allows users to create, manage, and scale cloud resources directly from a terminal or script.

Q2: How does a password spray attack differ from a traditional brute-force attack?
A2: A password spray attack attempts a small number of common passwords against a large list of usernames. In contrast, a traditional brute-force attack tries many different passwords against a single username. Password spraying is designed to avoid account lockout policies that typically trigger after multiple failed login attempts on a single account.

Q3: What immediate actions should be taken if an Azure CLI account is suspected of compromise?
A3: Immediately disable or reset the password for the compromised account, revoke any active tokens or sessions, and review audit logs for any unauthorized activities performed using that account. Enable or enforce MFA for all administrative accounts and analyze conditional access policies.