Microsoft 365 users targeted by password-spraying botnet

Signs that stealthy attack is linked to China

Cybersecurity researchers say they have uncovered a massive botnet targeting M365 accounts with password-spraying attacks.

The botnet is made up of more than 130,000 devices and uses infrastructure hosted by CDS Global Cloud and UCLOUD HK, both cloud providers linked to China. It also uses command and control servers hosted by SharkTech in the US.

The campaign is notable for its stealth and sophistication, researchers at MSP SecurityScorecard say, deploying non-interactive sign-ins to avoid triggering alerts.

“This enables attackers to operate without triggering MFA defences or Conditional Access Policies (CAP), even in highly secured environments,” they explain in an online post.

Password spraying is a brute force method whereby the attacker uses a single common password against multiple accounts on the same application — rather than trying a list of passwords on a single account, which would normally result in then being locked out. It can be effective where there are a large number of accounts, some of which may use the same password. Once one account is compromised the attacker may then be able to penetrate deeper into the system, with a risk of data exfiltration, disruption and espionage.

According to the researchers, the nature of the botnet,its infrastructure and attack methodology suggest the botnet may operated by nation state hackers from China. The attack can bypass basic defences, and even companies with strong security postures may be vulnerable due to gaps in how authentication attempts are logged, they say.

Security teams should review non-interactive sign-in logs for unauthorised access attempts, and change the credentials of any accounts affected. They should also disable Microsoft’s Basic Authentication, which is ineffective against such attacks, and which anyway is due to be deprecated in September. SecurityScorecard also suggests restricting non-interactive login attempts and monitoring threat intelligence for stolen credentials.

“These findings … reinforce how adversaries continue to find and exploit gaps in authentication processes,” said David Mound, threat intelligence researcher at SecurityScorecard.

“Organisations cannot afford to assume that MFA alone is a sufficient defence. Understanding the nuances of non-interactive logins is crucial to closing these gaps.”

Want to know more? Computing 's Cybersecurity Festival returns to London in May, where senior IT decision makers can learn about modern challenges, compare strategies with peers, and source solutions. Click here to register for free.