Pierluigi Paganini
February 24, 2025
SecurityScorecard researchers discovered a botnet of over 130,000 devices that is conducting password-spray attacks against Microsoft 365 (M365) accounts worldwide. The attackers targeted accounts protected with basic authentication bypassing multi-factor authentication.
The experts pointed out that organizations relying solely on interactive sign-in monitoring are
blind to these attacks. Basic Authentication allows credentials to be transmitted in plain form, allowing attackers to steal them. Despite Microsoft phasing it out, it remains an active security risk.
The botnet operators used stolen credentials from infostealer logs to target accounts at scale
“These attacks are recorded in Non-Interactive Sign-In logs, which are often overlooked by security teams. Attackers exploit this gap to conduct high-volume password spraying attempts undetected. This tactic has been observed across multiple M365 tenants globally, indicating a widespread and ongoing threat.” reads the report published by SecurityScorecard. “As we have seen direct evidence of this behavior in our Non-Interactive Sign-In logs, we encourage anyone operating a M365 tenant to immediately verify whether they are affected, and if so, to rotate credentials belonging to any organization accounts in the logs.”
The botnet uses stolen credentials to target M365 accounts, evading MFA and Conditional Access Policies while minimizing detection in Non-Interactive Sign-In logs.
“The botnet systematically attempts stolen credentials from infostealer logs across a wide range of M365 accounts, minimizing account lockouts while maximizing the probability of compromise. Non-interactive signins via basic authentication allow the attackers to evade MFA enforcement and potentially bypass Conditional Access Policies (CAP).” continues the report. “The attackers have identified a method that causes login events to be logged in the Non-Interactive Sign-In logs, which may result in reduced security visibility and response.”
The experts discovered the botnet’s activity while investigating a number of failed sign-in attempts in the non-interactive sign-in logs on a Microsoft 365 tenant. The attackers used basic authentication methods. The attacks use “fasthttp” as the user agent, the researchers found online reports of similar password-spraying attacks.
The analysis of netflow data identified recurring attacker IPs, primarily hosted at SharkTech, with traffic over ports 12341, 12342, and 12348. The researchers also discovered that two main hosting providers, CDSC-AS1 and UCLOUD HK, both linked to China, were also involved in the attacks.
SecurityScorecard attributes the attacks to an alleged Chinese-affiliated Group.
The cybersecurity firm identified six C2 servers have similar ports open and running Apache Zookeeper and using Kafka to manage botnet operations.
The botnet, active since at least December 2024, was composed of over 130,000 devices, its C2 servers are set to the Asia/Shanghai Timezone.
“This botnet activity highlights the importance of deprecating basic authentication, proactively monitoring login patterns, and implementing strong detection mechanisms for password spraying attempts.” concludes the report. “The attackers’ use of Non-Interactive Sign-In logs to evade MFA and possibly Conditional Access Policies underscores the need for organizations to reassess their authentication strategies. Additionally, organizations should monitor for leaked credentials on underground forums and swiftly act to reset compromised accounts.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)
