A massive automated password-spray campaign targeting Microsoft Azure’s command-line interfaces has compromised 78 accounts across 64 organizations. Dubbed “LSHIY,” the operation has generated over 81 million login attempts since June 12, 2026, exploiting a critical vulnerability in how cloud environments handle non-interactive authentication.
Unlike traditional attacks that target the heavily monitored Azure web portal, the campaign deliberately focused on programmatic endpoints like the Azure CLI and PowerShell. Security analysts tracking the operation note that attackers successfully circumvented multi-factor authentication (MFA) by leveraging the OAuth Resource Owner Password Credentials (ROPC) flow. This legacy authentication method allows applications to sign in users directly with a username and password, effectively bypassing modern MFA prompts and conditional access checks.
The campaign highlights a systemic “CLI blind spot” in enterprise cloud security. Organizations routinely enforce strict monitoring and identity controls on human-facing portals, but often leave automated, script-driven authentication paths under-defended. The attackers cycled a short list of weak, default, or recycled credentials across a massive volume of accounts, capitalizing on the fact that non-interactive sessions frequently operate without the same rigorous oversight applied to interactive logins.
In response, security experts are urging organizations to adopt a unified, identity-centric posture that treats programmatic access with the same rigor as user portals. The immediate priority is disabling legacy authentication flows like OAuth ROPC and enforcing strict conditional access policies that block anomalous sign-ins regardless of the client used. Universal MFA enforcement must explicitly extend to CLI sessions, PowerShell scripts, and service principals to close the gap exploited by the LSHIY campaign.
Defenders must also integrate Microsoft Entra ID sign-in logs into a centralized SIEM to automate spray detection and flag high-volume failed authentications. The campaign further underscores the need for dedicated governance of non-human identities. Service principals and automated accounts frequently carry broad permissions but lack oversight, making them high-value targets. Best practices now dictate transitioning automated workloads to managed identities, enforcing strict least-privilege scoping, and embedding identity controls directly into DevOps and CI/CD pipelines.
As cloud infrastructure becomes increasingly script-driven, the LSHIY campaign demonstrates that identity governance can no longer be treated as an afterthought. Securing automated workflows is now a baseline requirement, and organizations that fail to extend defensive controls beyond the web portal risk leaving their environments exposed to highly scalable, automated credential campaigns.
一項針對 Microsoft Azure 命令列介面(CLI)的大型自動化密碼噴灑攻擊,已導致 64 間機構共 78 個帳戶遭入侵。該行動被命名為「LSHIY」,自 2026 年 6 月 12 日以來已發起超過 8,100 萬次登入嘗試,利用雲端環境處理非互動式驗證方式中的關鍵漏洞進行攻擊。
有別於傳統針對受嚴格監控的 Azure 網頁入口的攻擊,該行動刻意聚焦於 Azure CLI 及 PowerShell 等程式化端點。追蹤該行動的安全分析師指出,攻擊者成功利用 OAuth Resource Owner Password Credentials (ROPC) 流程繞過多重驗證(MFA)。此舊式驗證方法允許應用程式直接使用用戶名稱及密碼登入,從而有效避開現代的 MFA 提示及條件式存取檢查。
該行動突顯企業雲端安全中存在系統性的「CLI 盲點」。機構通常對面向使用者的入口實施嚴格的監控與身分控制,卻往往對自動化及腳本驅動的驗證途徑疏於防護。攻擊者將一組簡短的弱密碼、預設密碼或重複使用的憑證,輪流應用於海量帳戶上,正是利用非互動式工作階段通常缺乏與互動式登入同等嚴格監管的弱點。
為此,安全專家呼籲機構採取統一且以身分為核心的防護策略,對程式化存取實施與使用者入口同等嚴格的管控。當務之急是停用 OAuth ROPC 等舊式驗證流程,並實施嚴格的條件式存取政策,無論使用何種用戶端均能攔截異常登入。全面實施 MFA 必須明確延伸至 CLI 工作階段、PowerShell 腳本及服務主體,以堵截 LSHIY 行動所利用的防護缺口。
防禦方亦須將 Microsoft Entra ID 的登入日誌整合至集中式 SIEM,以自動化偵測噴灑攻擊並標記大量失敗的驗證記錄。該行動進一步凸顯對非人類身分(non-human identities)實施專責管治的必要性。服務主體與自動化帳戶往往擁有廣泛權限卻缺乏監管,使其成為高價值攻擊目標。現時的最佳實踐建議將自動化工作負載遷移至受控身分(managed identities),嚴格執行最小權限原則,並將身分控制措施直接嵌入 DevOps 及 CI/CD pipeline 之中。
隨著雲端基礎設施日益依賴腳本驅動,LSHIY 行動證明身分管治絕不能再被視為事後補救措施。保障自動化工作流程現已成為基本要求,機構若未能將防禦控制措施延伸至網頁入口之外,其環境將面臨暴露於高度可擴展的自動化憑證攻擊之下的風險。
