Massive Botnet Targets Microsoft 365 Accounts with Stealthy Password Attacks

A massive botnet comprising over 130,000 compromised devices is launching sophisticated password-spraying attacks against Microsoft 365 (M365) accounts worldwide, leveraging a unique strategy that bypasses traditional security defenses.

Security researchers at SecurityScorecard have uncovered a campaign that specifically targets Non-Interactive Sign-Ins, a technique used for service-to-service authentication that often escapes traditional security monitoring. By exploiting Basic Authentication protocols, the attackers can verify account credentials without triggering multi-factor authentication (MFA) or generating security alerts.

Failed login attempts by the botnet (Source: SecurityScorecard)

Ports used by the C2 for botnet control (Source: SecurityScorecard)

The botnet's infrastructure suggests potential connections to China-affiliated threat actors, with command-and-control servers hosted on providers like SharkTech and utilizing network infrastructure from CDS Global Cloud and UCLOUD HK. These strategic choices enable the attackers to operate with a high degree of stealth and sophistication.

Unlike conventional password-spraying attacks that typically result in account lockouts, this campaign leverages Non-Interactive Sign-Ins to quietly test stolen credentials across numerous Microsoft 365 environments. The attackers use credentials obtained through infostealer malware, spreading login attempts across multiple compromised devices to avoid detection.

Sectors most at risk include financial services, healthcare, government agencies, technology providers, and educational institutions. The potential implications range from data theft and intellectual property compromise to potential espionage and supply chain attacks.

SecurityScorecard recommends organizations take immediate action to mitigate these risks. Key steps include reviewing non-interactive sign-in logs, rotating potentially compromised credentials, disabling legacy authentication protocols, and implementing robust conditional access policies.

With Microsoft set to fully deprecate Basic Authentication by September 2025, these attacks underscore the critical importance of transitioning to more secure authentication methods. Organizations must proactively adapt their security strategies to counter evolving threat landscapes and protect their digital ecosystems.

The emergence of this botnet highlights the ongoing challenge of securing cloud-based authentication systems and the need for continuous vigilance against sophisticated cyber threats that exploit subtle vulnerabilities in authentication mechanisms.

Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this. 

You may also like these articles: Here are the 5 most contextually relevant blog posts: