A botnet made up of 130,000 compromised devices has been conducting a huge password spraying campaign targeting Microsoft 365 accounts, according to a new report.
Researchers at SecurityScorecard warned that an unnamed threat actor has been compromising Microsoft 365 accounts by exploiting the non-interactive sign-in process that uses basic authentication.
Non-interactive sign-in refers to a login method that requires no action from the user and is handled by the platform or client application, which often doesn’t trigger MFA.
Basic authentication is a relatively old method of user authentication that simply sends the user’s credentials to the server in plain text to verify their identity.
The report said the campaign was first uncovered after a number of failed sign-in attempts were noted in the non-interactive sign-in logs on a Microsoft 365 tenant its STRIKE team was given access to.
The STRIKE team identified a number of recurring IP addresses that were in communication with the IPs involved in the failed login attempts, with six referring to servers hosted via a US-based provider SharkTech that has been previously flagged for hosting malicious activity.
The SharkTech servers are believed to be the command and control (C2) servers used in the campaign, with other parts of the attack infrastructure, namely proxy servers, linked to two other hosting providers with links to China.
A four hour snapshot revealed the C2 servers were talking to over 130,000 compromised devices, all being leveraged to conduct a mass password spraying campaign using credentials stolen from infostealer logs.
The botnet systemically attempted these credentials across a range of Microsoft 365 accounts to minimize account lockouts while maximizing the likelihood of compromise.
Many firms are blind to password spraying threats
The report noted that non-interactive sign-ins via basic authentication means the attackers are able to avoid MFA enforcement as well as potentially also bypass conditional access policies (CAP).
It added that by finding a way to ensure their login events are only logged in the sign-in logs, which do not always generate security alerts, the attackers are able to minimize their visibility.
Security Scorecard warned this technique has created a “critical blind spot for security teams” where they can conduct high-volume password spraying attempts undetected.
The tactic has been observed across multiple Microsoft 365 tenants, the report added, which it said indicates a “widespread and ongoing threat”, noting that organizations that rely solely on interactive sign-in monitoring will be completely blind to these attacks.
RELATED WHITEPAPER
Microsoft is still in the process of progressively deprecating basic authentication, with full retirement of the process set for September 2025, but until then the researchers have warned this campaign presents an immediate threat to those using it.
The report concluded that the attacker’s use of non-interactive sign-in logs to evade MFA and potentially also CAP underscores the importance for organizations to update their authentication strategies.
Security teams should review their non-interactive sign-in logs for unauthorized access attempts, rotate the credentials for accounts flagged in recent sign-in attempts, as well as disable legacy authentication protocols such as basic authentication.
Businesses should also try to monitor for stolen credentials linked to their organization in infostealer logs and implement CAPs that restrict non-interactive login attempts.
MORE FROM ITPRO
-
The Race Is On for Higher Ed to Adapt: Equity in Hyflex Learning -
Google faces 'first of its kind' class action for search ads overcharging in UKNews Google faces a "first of its kind" £5 billion lawsuit in the UK over accusations it has a monopoly in digital advertising that allows it to overcharge customers.
-
Healthcare organizations need to shake up email security practicesNews Microsoft 365 is the source of almost half of all healthcare email breaches, thanks mainly to misconfigurations in security settings.
-
So long, Defender VPN: Microsoft is scrapping the free-to-use privacy tool over low uptakeNews Defender VPN, Microsoft's free virtual private network, is set for the scrapheap, so you might want to think about alternative services.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Microsoft is increasing payouts for its Copilot bug bounty programNews Microsoft has expanded the bug bounty program for its Copilot lineup, boosting payouts and adding coverage of WhatsApp and Telegram tools.
-
Hackers are using this new phishing technique to bypass MFANews Microsoft has warned that a threat group known as Storm-2372 has altered its tactics using a specific ‘device code phishing’ technique to bypass MFA and steal access tokens.
-
A new phishing campaign is exploiting Microsoft’s legacy ADFS identity solution to steal credentials and bypass MFANews Researchers at Abnormal Security have warned of a new phishing campaign targeting Microsoft's Active Directory Federation Services (ADFS) secure access system.
-
Hackers are using Microsoft Teams to conduct “email bombing” attacksNews Experts told ITPro that tactics like this are on the rise, and employees must be trained effectively
-
Microsoft files suit against threat actors abusing AI services
News Cyber criminals are accused of using stolen credentials for an illegal hacking as a service operation
