Microsoft 365 accounts have been subjected to password spraying intrusions aided by a botnet of over 130,000 hacked devices that bypass multi-factor authentication.

According to a report by SecurityScorecard, the attackers are leveraging credentials, stolen by infostealer malware, to target the accounts at a large scale. The attacks rely on non-interactive sign-ins using basic authentication to bypass multi-factor authentication protections and gain unauthorised access without triggering security alerts.

Command and Control

According to Bleeping Computer, the botnet operates through six primary command and control (C2) servers hosted by U.S. provider Shark Tech, while it proxies traffic through Hong Kong-based UCLOUD HK and China-linked CDS Global Cloud.

The botnet uses over 130,000 compromised devices to spread out login attempts across different IP addresses, which helps evade getting flagged for suspicious activity and blocked.

SecurityScorecard said that organisations relying solely on interactive sign-in monitoring are blind to these attacks. “Non-interactive sign-ins, commonly used for service-to-service authentication, legacy protocols (e.g., POP, IMAP, SMTP), and automated processes, do not trigger MFA in many configurations," it warned.

"Basic Authentication, still enabled in some environments, allows credentials to be transmitted in plain form, making it a prime target for attackers."

Evolutionary Step Forward

Commenting, Boris Cipot, senior security engineer at Black Duck, said that new botnet attack tactics are a significant evolutionary step forward compared to previously used password spraying tactics, where the passwords are usually collected from credential dumps.

“To avoid brute-force protections, attackers limit the password testing on user accounts to prevent lockout policies,” he said. “In the past, this meant attacks lasted for an extended period of time using automation tools.“

He also said that to avoid monitoring systems, attacks are committed during working hours. “However, new attack tactics deploy non-interactive sign-ins that are less prone to typical security alerts like failed login. Non-interactive sign-ins include logins over API or automated services, for example. Therefore, this new botnet leverages organisations' gaps in their authentication monitoring.”

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.