SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Chinese Botnet Powered by 130,000 Devices Targets Microsoft 365 Accounts

A China-linked botnet powered by 130,000 hacked devices has targeted Microsoft 365 accounts with password spraying attacks.
Botnet

A botnet controlled by a threat actor linked to China has been observed targeting Microsoft 365 accounts with large-scale password spraying attacks, SecurityScorecard reported on Monday.

According to the security firm, the botnet is powered by more than 130,000 compromised devices and the attacks aimed at Microsoft 365 accounts rely on non-interactive sign-ins with Basic Authentication.

“Non-interactive sign-ins, commonly used for service-to-service authentication, legacy protocols (e.g., POP, IMAP, SMTP), and automated processes, do not trigger MFA in many configurations. Basic Authentication, still enabled in some environments, allows credentials to be transmitted in plain form, making it a prime target for attackers.,” SecurityScorecard said.

While Microsoft is in the process of deprecating Basic Authentication, the security firm warns that these attacks pose an immediate threat.

The attack is stealthy because the password spraying attempts are recorded in non-interactive sign-in logs, which are often not monitored by security teams.  

SecurityScorecard has identified several command and control servers located in the United States. Monitoring the connections to these servers for four hours showed 130,000 devices communicating with them.

Advertisement. Scroll to continue reading.

The botnet powered by these devices takes credentials obtained by information-stealer malware and tests them against Microsoft 365 accounts. 

Once they gain access to the accounts, the hackers can obtain sensitive information, cause disruption to business operations, and move laterally within the targeted organization. 

The security firm believes the botnet is likely controlled by a Chinese threat group, but noted that its attribution efforts are ongoing. 

Microsoft reported in October 2024 that it had seen multiple Chinese threat actors using credentials sourced from a password spray operation that involved a network of compromised devices tracked as CovertNetwork-1658, Xlogin and Quad7.

Related: Citrix Warns of Password Spraying Attacks Targeting NetScaler Appliances

Related: Infostealer Infections Lead to Telefonica Ticketing System Breach

Related: Cisco Patches Vulnerability Exploited in Large-Scale Brute-Force Campaign

Related: Iranian Hackers Use Brute Force in Critical Infrastructure Attacks

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

More from

Latest News

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Webinar: How Modern Breaches Bypass MFA and Evade Detection
June 17, 2026

Today’s attackers are no longer breaking in — they’re logging in. Join this live webinar as we break down the modern identity attack chain and examine how recent breaches exploited weaknesses in authentication, identity verification, and access management processes.

Register

Webinar: Modern Exposure Validation in the AI Era
June 24, 2026

AI has accelerated both sides of the fight. Adversaries are weaponizing vulnerabilities faster, while defenders are racing to ship detections and configurations. Join this live webinar as we explore how to prove your controls actually hold against new threats, map your security maturity, and unite breach simulation with automated pentesting into a single, coordinated program.

Register

People on the Move

SolarWinds has appointed Justin Henkel as Chief Information Security Officer.

J. Paul Haynes has joined Cinchy as Chief Executive Officer.

Hatem Naguib has become Chief Executive Officer at Sysdig.

More People On The Move

Expert Insights

No Exploits Required

Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures.

Popular Topics

Security Community

Stay Intouch

About SecurityWeek

News Tips

Got a confidential news tip? We want to hear from you.

Submit Tip

Advertising

Reach a large audience of enterprise cybersecurity professionals

Contact Us

Daily Briefing Newsletter

Subscribe to the SecurityWeek Daily Briefing and get the latest content delivered to your inbox.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.