Massive botnet attack is targeting Microsoft 365 accounts worldwide

According to a recent report from SecurityScorecard, a huge network of over 130,000 hacked devices is actively trying to break into Microsoft 365 accounts worldwide. These attackers are using a technique called password spraying, which involves guessing common passwords across many accounts.

They’re specifically targeting systems that still use basic authentication, which allows them to sidestep multi-factor authentication (MFA) protections.

According to the SecurityScorecard report, the attackers are using credentials stolen by malicious software known as infostealers. This lets them launch large-scale attacks on numerous accounts. By relying on non-interactive logins through Basic Authentication, they can sneak past MFA safeguards and gain access without setting off any security alarms. It’s like picking a lock quietly instead of kicking down the door.

Organizations relying solely on interactive sign-in monitoring are blind to these attacks. Non-interactive sign-ins, commonly used for service-to-service authentication, legacy protocols (e.g., POP, IMAP, SMTP), and automated processes, do not trigger MFA in many configurations. Basic Authentication, still enabled in some environments, allows credentials to be transmitted in plain form, making it a prime target for attackers, writes SecurityScorecard.

The botnet, which is allegedly operated by a Chinese organization, is using a sneaky method to try and break into accounts by leveraging Basic Authentication. This technique involves targeting a wide range of accounts with commonly used or leaked passwords. Basic Auth doesn’t require any back-and-forth interaction so if the attackers find a match with the credentials they’re trying, they aren’t asked for multi-factor authentication (MFA) and often slip past Conditional Access Policies (CAP) unnoticed. This allows them to quietly confirm whether an account’s credentials are valid.

Once they’ve verified the login details, these credentials can be used in two ways: either to access older services that don’t demand MFA, or as part of more advanced phishing schemes designed to fully bypass security measures and take over the account.

SecurityScorecard points out that you might be able to spot signs of these password-spray attacks by checking your Entra ID logs. Look for unusual patterns like a spike in non-interactive login attempts, repeated failed logins from different IP addresses, and the appearance of the fasthttp user agent in the authentication records.

This is one of the most dangerous attacks since the wrongdoers can bypass the multi-factor authentication. We’ve learned about this from Bleeping Computer.