A newly discovered botnet comprising over 130,000 compromised devices is conducting widespread password-spraying attacks against Microsoft 365 accounts, security researchers revealed. The attack exploits a vulnerability in non-interactive sign-ins using basic authentication, allowing attackers to bypass standard security measures including multi-factor authentication (MFA).
The botnet targets automated login processes that occur in the background without direct user input. These non-interactive sign-ins, commonly used for service accounts and automated tasks, create a security blind spot as they don't generate typical alert notifications when compromised.
"Unlike traditional password spraying, this technique avoids triggering security alerts, allowing adversaries to operate undetected, even in well-secured environments," explained Darren Guccione, CEO at Keeper Security.
The attackers leverage stolen credentials from infostealer logs to systematically target accounts at scale. The campaign has been observed across multiple Microsoft 365 tenants globally, indicating a widespread threat.
Security researchers at SecurityScorecard have found possible connections to China-affiliated threat actors, citing evidence of infrastructure linked to Chinese cloud service providers. The attack utilizes command-and-control servers hosted by SharkTech, a U.S.-based provider previously associated with malicious activity.
Organizations most at risk include:
- Financial services and insurance companies
- Healthcare institutions
- Government and defense agencies
- Technology and SaaS providers
- Educational and research institutions
Security experts recommend that organizations:
- Review non-interactive sign-in logs for unauthorized access
- Rotate credentials for potentially compromised accounts
- Disable legacy authentication protocols
- Monitor for stolen credentials in infostealer logs
- Implement stricter access policies
With Microsoft planning to retire basic authentication by September 2025, this attack highlights the urgency for organizations to transition to more secure authentication methods before these vulnerabilities can be exploited further.