Botnet Targets Microsoft 365 Accounts with Password Spraying Attacks
A botnet comprising over 130,000 compromised devices is launching large-scale password spraying attacks on Microsoft 365 accounts. By leveraging non-interactive sign-ins with Basic Authentication, the attackers bypass modern login protections and evade MFA enforcement, exploiting a critical security gap. Systematically targeting accounts with stolen credentials, they risk exposing sensitive data and enabling lateral movement within networks. Organizations must urgently assess their systems for signs of compromise.
Technical Description
According to a security research team, attackers have leveraged info stealers to compile a database of stolen credentials. They are systematically targeting accounts worldwide with common or previously breached passwords. By utilizing a botnet of over 130,000 compromised devices, login attempts are distributed across numerous IP addresses, making detection more difficult. Notably, the attackers bypass multi-factor authentication by exploiting Basic Authentication—an outdated authentication method—allowing them to evade security alerts and infiltrate organizations undetected.
Exploitation of Non-Interactive Sign-Ins and Basic Authentication
Non-interactive logins in M365 are frequently utilized for service-to-service authentication, legacy protocols (e.g., POP, IMAP), and automated workflows. Unfortunately, these authentication methods often bypass MFA enforcement in many configurations, creating a security gap that adversaries can exploit to circumvent MFA policies and Conditional Access controls. Although Basic Authentication is being phased out, it remains active in some environments, allowing credentials to be transmitted in an unencrypted format. This makes it a high-value target for threat actors looking to gain unauthorized access with minimal resistance.
Botnet and Operations
The botnet is composed of devices infected with info stealer malware, dispersed across multiple geographic regions and linked to six Command-and-Control (C2) servers. It systematically executes password spraying attacks on M365 accounts using a database of stolen credentials. The operation relies on automated tooling, often distinguished by the ‘fasthttp’ user agent string and communicates with C2 servers over various ports, including 12341, 12342 and 12348. The attackers have optimized their login attempts to minimize account lockouts while maximizing the likelihood of successful breaches.
Proxy Tactics and Evasion Methods
The attackers are leveraging proxy infrastructure in China, including UCLOUD HK and CDS Global Cloud, to obscure the true origin of their attacks and sustain communication with compromised botnet devices. By utilizing multiple proxy services and C2 servers, they mask malicious traffic to appear as legitimate activity, making detection and mitigation more challenging for defenders. This extensive use of proxies also complicates attribution, further hindering efforts to trace the threat actors behind the campaign.
Command and Control Network
The Command-and-Control (C2) servers are spread across multiple locations, including some in the United States with weak security controls. These servers communicate with infected botnet devices using uncommon ports like 12341 and 12342, making detection harder. One of the main tools used by the attackers is Apache Zookeeper, which helps coordinate the large network of compromised devices. This suggests that the attackers are well-organized and using advanced methods typically seen in large-scale cyber threats.
Indicators of Compromise and Detection Blind Spots
Organizations might spot this attack pattern in Non-Interactive Sign-In logs, where multiple failed login attempts from different IP addresses for the same account are logged. The user-agent string ‘fasthttp’ is linked to these passwords spraying attempts, signaling the use of automated tools. The bypassing of MFA and Conditional Access Policies creates a major security gap, making it much harder for security teams to detect this attack with standard login monitoring methods.
Conclusion
This botnet-driven attack poses a significant threat to M365 environments by exploiting overlooked sign-in logs and bypassing essential security measures like MFA and CAP. The attackers demonstrate persistence and sophistication, methodically compromising accounts with stolen credentials. Organizations must prioritize phasing out Basic Authentication, strengthen monitoring of non-interactive sign-ins and implement more effective password spraying detection strategies to reduce the risk. Quick detection and containment are crucial to minimizing damage and preventing further exploitation.
Impact
This can result in severe security breaches, including unauthorized access to sensitive data, emails, and collaboration tools. Repeated password spraying attempts may cause account lockouts, disrupting business operations. Once an account is compromised, attackers can move laterally within the network, escalate their privileges and potentially deploy malware or launch phishing attacks. The bypassing of MFA and CAP further heightens the risk and complicates detection.
IOC and Context Details
| Topics | Details |
|---|---|
| Tactic Name | Exfiltration, Lateral Movement, Privilege Escalation, Credential Access, Command and Control |
| Technique Name | Exfiltration Over C2 Channel, Remote Services, Exploitation for Privilege Escalation, Brute Force, Exploitation for Credential Access, Proxy, Non-Application Layer Protocol |
| Sub Technique Name | Password Spraying, External Proxy |
| Attack Type | Malware |
| Targeted Applications | Microsoft Office 365 |
| Region Impacted | Global |
| Industry Impacted | All |
| IOC’s | NA |
| CVE | NA |
Recommended Actions
- Disable or phase out Basic Authentication in all environments to prevent its use.
- Monitor and analyze Non-Interactive Sign-In logs for any suspicious login patterns.
- Deploy enhanced detection mechanisms to identify password spraying attempts.
- Immediately rotate credentials for affected accounts if compromise is detected.
- Enforce MFA on all accounts, ensuring it cannot be bypassed by non-interactive logins.
- Regularly audit and update authentication strategies, including the use of Conditional Access Policies.