A botnet comprising over 130,000 compromised devices is conducting large-scale password spraying attacks on Microsoft 365 accounts, according to cybersecurity researchers at SecurityScorecard. This alarming campaign is leveraging older authentication methods, such as Basic Authentication, to target Microsoft 365 environments effectively.
The attackers are reportedly affiliated with China, exploiting vulnerabilities within the Microsoft 365 platform. This method enables them to bypass multiple security controls, including multifactor authentication (MFA), which many organizations rely on for safeguarding sensitive information.
What's particularly concerning about these attacks is their execution. Non-interactive sign-ins occur automatically when users connect to services without having to enter credentials again, often due to previously stored login information. According to the report from SecurityScorecard, this process has become the crux of the attackers' methodology.
Microsoft has been gradually phasing out Basic Authentication capabilities for various services, but it remains effective for certain standards—most noticeably SMTP for email—until September 2025. SecurityScorecard noted, "These attacks are recorded in Non-Interactive Sign-In logs, which are often overlooked by security teams. Attackers exploit this gap to conduct high-volume password spraying attempts undetected." This oversight has created what they describe as "a significant blind spot for security teams."
The botnet is methodically attempting to log in to Microsoft 365 accounts globally using credentials stolen through infostealer attacks. The campaign aims to gain access to sensitive data, emails, and collaboration tools across various industries, including finance, healthcare, and government sectors. Outdated authentication techniques not only allow for potential unauthorized access to user accounts but can also permit lateral movement within organizational networks, facilitating internal phishing attacks and other malicious activities.
"New attack tactics deploy non-interactive sign-ins... this new botnet leverages organizations' gaps in their authentication monitoring," explained Boris Cipot, Senior Security Engineer at Black Duck. This shift from traditional password spraying tactics to those employing non-interactive sign-ins presents challenges, as organizations focusing solely on interactive sign-in monitoring remain blind to these attacks.
SecurityScorecard emphasized the importance of revising access policies to mitigate these threats. Organizations are advised to implement conditional access policies governing non-interactive logins, review Non-Interactive Sign-In logs frequently for unauthorized access attempts, and disable legacy authentication protocols like Basic Authentication. These measures are part of the suggested strategies to defend against the botnet's attack methods effectively.
Yet, the widespread nature of this attack necessitates vigilance across multiple sectors. "The attacker’s use of non-interactive sign-in logs to evade MFA and potentially also Conditional Access Policies ... emphasizes the importance for organizations to update their authentication strategies," noted SecurityScorecard. Organizations are urged to monitor for leaked credentials on underground forums and take immediate action to reset compromised accounts to counter this pervasive threat.
Experts believe this campaign marks a troubling evolution of cyber threats, as attackers continue to refine their techniques to bypass existing security measures. With the botnet exploiting readily available weaknesses, it highlights the urgent need for organizations to re-evaluate their security postures, ensuring they are not only utilizing updated authentication methods but also actively monitoring all sign-in activities for unauthorized access.
With the increasing reliance on cloud services like Microsoft 365 for daily operations, the imperative to bolster security has never been greater. Businesses must remain steadfast to prevent falling victim to such sophisticated cyber threats, particularly as attackers persistently look for ways to exploit gaps within their defenses.