Massive Botnet Hits Microsoft 365 Accounts
Summary:
A newly discovered botnet of over 130,000 compromised devices is launching a highly coordinated password-spraying attack on Microsoft 365 accounts, exposing critical vulnerabilities in modern authentication practices. SecurityScorecard researchers have linked this campaign to China-affiliated threat actors by identifying infrastructure connections with CDS Global Cloud and UCLOUD HK entities known for their operational ties to China, while the attackers manage their operations through command-and-control servers hosted by U.S.-based SharkTech, a company previously associated with malicious activity.
Unlike traditional password-spraying techniques that typically trigger account lockouts and alert security teams, this sophisticated attack exploits Non-Interactive Sign-Ins, a mechanism used for service-to-service authentication that does not usually generate the security alerts provided by Multi-Factor Authentication or Conditional Access Policies . This stealthy method allows the attackers to remain under the radar by targeting less-monitored authentication channels, thereby bypassing defenses even in environments with robust security measures.
Security Officer Comments:
The scale and ingenuity of this attack highlight the growing trend of exploiting overlooked vulnerabilities in non-interactive login processes, prompting a reassessment of security protocols across industries that rely heavily on Microsoft 365 for email, document storage, and collaboration. Sectors such as financial services, healthcare, government, technology, and education face heightened risks, as compromised accounts could lead to unauthorized data access, espionage, and even supply chain attacks. Experts, including David Mound from the STRIKE Threat Intelligence team at SecurityScorecard, stress that relying solely on MFA is no longer sufficient; organizations must also scrutinize and fortify the authentication processes that are typically considered low risk.
Suggested Corrections:
Link(s):
https://www.helpnetsecurity.com/2025/02/24/botnet-hits-microsoft-365-accounts/
A newly discovered botnet of over 130,000 compromised devices is launching a highly coordinated password-spraying attack on Microsoft 365 accounts, exposing critical vulnerabilities in modern authentication practices. SecurityScorecard researchers have linked this campaign to China-affiliated threat actors by identifying infrastructure connections with CDS Global Cloud and UCLOUD HK entities known for their operational ties to China, while the attackers manage their operations through command-and-control servers hosted by U.S.-based SharkTech, a company previously associated with malicious activity.
Unlike traditional password-spraying techniques that typically trigger account lockouts and alert security teams, this sophisticated attack exploits Non-Interactive Sign-Ins, a mechanism used for service-to-service authentication that does not usually generate the security alerts provided by Multi-Factor Authentication or Conditional Access Policies . This stealthy method allows the attackers to remain under the radar by targeting less-monitored authentication channels, thereby bypassing defenses even in environments with robust security measures.
Security Officer Comments:
The scale and ingenuity of this attack highlight the growing trend of exploiting overlooked vulnerabilities in non-interactive login processes, prompting a reassessment of security protocols across industries that rely heavily on Microsoft 365 for email, document storage, and collaboration. Sectors such as financial services, healthcare, government, technology, and education face heightened risks, as compromised accounts could lead to unauthorized data access, espionage, and even supply chain attacks. Experts, including David Mound from the STRIKE Threat Intelligence team at SecurityScorecard, stress that relying solely on MFA is no longer sufficient; organizations must also scrutinize and fortify the authentication processes that are typically considered low risk.
Suggested Corrections:
- Review non-interactive sign-in logs for unauthorized access attempts.
- Rotate credentials for any accounts flagged in recent sign-in attempts.
- Disable legacy authentication protocols like Basic Authentication.
- Monitor for stolen credentials linked to their organization in infostealer logs.
- Implement conditional access policies that restrict non-interactive login attempts.
Link(s):
https://www.helpnetsecurity.com/2025/02/24/botnet-hits-microsoft-365-accounts/