Hackers exploit botnet to attack Microsoft 365 accounts

A newly identified botnet comprising over 130,000 compromised devices is systematically targeting Microsoft 365 accounts using password spraying attacks, according to findings from cybersecurity firm SecurityScorecard.

The attacks exploit Non-Interactive Sign-Ins, a lesser-known authentication method that can bypass Multi-Factor Authentication in many systems. SecurityScorecard's STRIKE Threat Intelligence team has observed and analysed this activity across various organisations globally.

Researchers from SecurityScorecard are looking into potential links to China-affiliated threat actors, with evidence indicating the usage of infrastructure associated with CDS Global Cloud and UCLOUD HK, both of which have operational connections to China.

The attack uses command-and-control servers hosted by SharkTech, a U.S.-based provider previously noted for hosting malicious activities. This campaign distinguishes itself through its extensive scale, stealth, and exploitation of a major security loophole, unlike previous attacks associated with groups like Volt Typhoon and APT33.

Password spraying is a known technique where attackers test stolen credentials at a large scale while avoiding detection. In typical scenarios, these attacks result in account lockouts, alerting security teams. However, the current campaign focuses on Non-Interactive Sign-Ins used for service-to-service authentication, which do not always generate security alerts. This allows attackers to proceed without triggering defences like MFA or Conditional Access Policies.

Industries heavily reliant on Microsoft 365 for their operations, such as Financial Services and Insurance, Healthcare, Government and Defence, Technology and SaaS Providers, and Education and Research Institutions, are identified as particularly at risk.

The infrastructure and methods used in these attacks suggest ties to an advanced threat actor, with involvement of Chinese-affiliated hosting services. These findings emphasise the potential for even companies with robust security measures to be vulnerable, due to how these authentication attempts are recorded.

SecurityScorecard urges security teams to review Non-Interactive Sign-In logs for unauthorised access, rotate flagged account credentials, disable legacy authentication protocols like Basic Authentication, and monitor for stolen credentials linked to their organisation. Implementing Conditional Access Policies to restrict non-interactive login attempts is also advised.

Microsoft aims to phase out Basic Authentication by September 2025, and these incidents highlight the necessity for companies to transition to more secure authentication methods.

David Mound, Threat Intelligence Researcher at SecurityScorecard, stated, "These findings from our STRIKE Threat Intelligence team reinforce how adversaries continue to find and exploit gaps in authentication processes. Organisations cannot afford to assume that MFA alone is a sufficient defense. Understanding the nuances of non-interactive logins is crucial to closing these gaps."

The STRIKE threat intelligence team at SecurityScorecard is known for combining unique threat intelligence, incident response experience, and supply chain cyber risk expertise, underscoring their role as strategic advisors to CISOs worldwide.