A botnet controlled by a threat actor linked to China has been observed targeting Microsoft 365 accounts with large-scale password spraying attacks, SecurityScorecard reported on Monday.
According to the security firm, the botnet is powered by more than 130,000 compromised devices and the attacks aimed at Microsoft 365 accounts rely on non-interactive sign-ins with Basic Authentication.
“Non-interactive sign-ins, commonly used for service-to-service authentication, legacy protocols (e.g., POP, IMAP, SMTP), and automated processes, do not trigger MFA in many configurations. Basic Authentication, still enabled in some environments, allows credentials to be transmitted in plain form, making it a prime target for attackers.,” SecurityScorecard said.
While Microsoft is in the process of deprecating Basic Authentication, the security firm warns that these attacks pose an immediate threat.
The attack is stealthy because the password spraying attempts are recorded in non-interactive sign-in logs, which are often not monitored by security teams.
SecurityScorecard has identified several command and control servers located in the United States. Monitoring the connections to these servers for four hours showed 130,000 devices communicating with them.
The botnet powered by these devices takes credentials obtained by information-stealer malware and tests them against Microsoft 365 accounts.
Once they gain access to the accounts, the hackers can obtain sensitive information, cause disruption to business operations, and move laterally within the targeted organization.
The security firm believes the botnet is likely controlled by a Chinese threat group, but noted that its attribution efforts are ongoing.
Microsoft reported in October 2024 that it had seen multiple Chinese threat actors using credentials sourced from a password spray operation that involved a network of compromised devices tracked as CovertNetwork-1658, Xlogin and Quad7.
Related: Citrix Warns of Password Spraying Attacks Targeting NetScaler Appliances
Related: Infostealer Infections Lead to Telefonica Ticketing System Breach
Related: Cisco Patches Vulnerability Exploited in Large-Scale Brute-Force Campaign
Related: Iranian Hackers Use Brute Force in Critical Infrastructure Attacks
