Massive botnet targets Microsoft 365 with stealth attacks

A newly discovered botnet comprising over 130,000 compromised devices is systematically targeting Microsoft 365 accounts using password spraying attacks, according to a report by SecurityScorecard's STRIKE Threat Intelligence team.

The report highlights potential links to China-affiliated threat actors, with evidence indicating the use of infrastructure associated with CDS Global Cloud and UCLOUD HK, providers with ties to China. The botnet attacks utilise command-and-control servers hosted in SharkTech, a U.S-based provider previously identified for hosting malicious activity.

Password spraying is recognised as a common cyberattack method; however, this particular campaign distinguishes itself by its extensive scale, stealth approach, and emphasis on a crucial security blind spot. Unlike prior attacks related to known entities like Volt Typhoon and APT33, this botnet exploits Non-Interactive Sign-Ins, allowing attackers to evade traditional security measures.

Ordinarily, password spraying results in lockouts that notify security teams, but the current campaign targets Non-Interactive Sign-Ins utilised for service-to-service authentication, which often do not generate security alerts. This enables attackers to bypass Multi-Factor Authentication defences and Conditional Access Policies even within highly secured environments.

The scope of this attack encompasses various sectors, with organisations relying heavily on Microsoft 365 for essential services being particularly at risk. Financial services, healthcare, government and defence, technology firms, and educational institutions are amongst the primary sectors facing potential threats.

The utilisation of infrastructure and methods indicative of advanced actors emphasizes potential nation-state involvement. Chinese-affiliated hosting providers are being utilised in this campaign, suggesting a continued evolution of cyber threats at a national scale.

This campaign also shows the ability to bypass modern security measures, leaving even companies with robust security frameworks vulnerable due to gaps in how such authentication attempts are logged.

Security teams are advised to review Non-Interactive Sign-In logs for unauthorised access attempts, change credentials for any accounts identified in these attempts, disable legacy authentication protocols, and monitor infostealer logs for linked credentials. Implementing Conditional Access Policies to restrict non-interactive login attempts is strongly recommended.

In light of Microsoft's plan to fully retire Basic Authentication by September 2025, the urgency for organisations to transition to more secure authentication methods is underscored to prevent potentially extensive exploitation.

David Mound, Threat Intelligence Researcher at SecurityScorecard, commented on the findings, stating, "These findings from our STRIKE Threat Intelligence team reinforce how adversaries continue to find and exploit gaps in authentication processes. Organisations cannot afford to assume that MFA alone is a sufficient defence. Understanding the nuances of non-interactive logins is crucial to closing these gaps."