Skip to main content

June 2026 - LSHIY LLC Token Spray Campaign

Tyler
  • Updated

Summary

Huntress has identified an active, large-scale credential attack campaign targeting Microsoft 365 accounts. Threat actors are using infrastructure operated by LSHIY LLC — a hosting provider associated with adversary-controlled relay and Adversary-in-the-Middle (AiTM) activity — to conduct OAuth2 token spray attacks. These attacks attempt to authenticate as legitimate users by replaying stolen session tokens, bypassing traditional password-based defenses. Huntress has confirmed compromised identities across multiple partner organizations and is actively working to notify affected parties and contain the threat.

Am I Affected?

Partners with Microsoft 365 identity monitoring through Huntress should take the following steps to self-assess:

  • Check your Huntress portal for any new or recent incident reports related to identity compromise or suspicious M365 login activity.
  • Review your Microsoft 365 sign-in logs for successful authentications from unfamiliar IP addresses, particularly from geographic locations inconsistent with your users' normal activity.
  • Look for post-compromise indicators such as new inbox rules, unexpected device enrollments in Entra/Intune, or unusual application consent grants.
  • Verify MFA enforcement — accounts without strong MFA are at elevated risk of session token abuse.
  • Organizations with Conditional Access Policies already in place may have had login attempts blocked automatically; however, those accounts should still undergo credential hygiene review.

What Is Huntress Doing?

  • Proactive detection deployed: Huntress has pushed a new detection rule to identify successful M365 logins originating from LSHIY LLC infrastructure, enabling ongoing monitoring across the fleet.
  • Retroactive review completed: Huntress conducted a retroactive sweep of login telemetry to identify accounts that were compromised prior to detection rule deployment and is issuing incident reports to affected partners.
  • Automated triage workflow active: A new investigation workflow has been deployed to enrich and analyze suspicious login signals, including checks for AiTM relay patterns, session token captures, rogue device registrations, and inbox rule manipulation.
  • Ongoing investigation: Huntress continues to monitor for new activity from this infrastructure and is working to identify the full scope of the campaign.

Recommended Next Steps

  1. Review any incident reports from Huntress related to this campaign and follow the remediation guidance provided, including disabling affected accounts and revoking active sessions.
  2. Reset credentials and revoke all active sessions for any identity flagged as potentially compromised — do not rely on a password reset alone, as token-based attacks can persist beyond password changes.
  3. Enforce multi-factor authentication on all Microsoft 365 accounts if not already in place; ensure MFA cannot be bypassed through legacy authentication protocols.
  4. Implement or review Conditional Access Policies to restrict logins from unexpected geographies or high-risk IP ranges.
  5. Audit inbox rules and device enrollments for any accounts that had suspicious login activity to identify signs of post-compromise persistence.

How to Get Help

If you have received an incident report from Huntress related to this campaign, please follow the remediation steps outlined in that report. For additional guidance, Huntress Support is available to assist with questions about your specific environment and any steps you need to take.

If you have questions or believe you are affected, please reach out to Huntress Support — we are here to help.

Related articles