Botnet targets Microsoft accounts with password spraying attack

A huge botnet (network of private computers infected with malware) of 130,000 devices has been targeting Microsoft 365 service accounts across the world. First discovered by SecurityScorecard on February 24^th, the botnet appears to be engaged in a mass password spraying attack. Notably, the attackers have been able to bypass multi-factor authentication by exploiting Basic Authentication (Basic Auth) – an outdated authentication method. This means security alerts are not being triggered and organizations may be unaware they’re under attack.

Attack summary

• Who was targeted:  Microsoft 365 service accounts worldwide
• Attack type: Password spraying via massive botnet
• Impact: Potential for account takeovers, disrupted operations through lockouts, and lateral movement upon unauthorized access
• Who was responsible: Officially unattributed. SecurityScorecard believe a Chinese-affiliated group is behind the attack, citing evidence of infrastructure linked to CDS Global Cloud and UCLOUD HK, which have operational ties to China. The attack is using command-and-control (C2) servers hosted by SharkTech, a U.S.-based provider previously identified for hosting malicious activity.

How did the attack happen?

According to SecurityScorecard, the attackers have used infostealers to gather a database of stolen credentials. From there, they’re systematically targeting accounts with common/breached passwords at a large scale across the world. Using a botnet of over 130,000 compromised devices means the login attempts have been spread out across many different IP addresses.

The attacks are being recorded as ‘non-interactive sign-in’ logs, which helps stop the login attempts being flagged as suspicious. From a hacker’s perspective, this will maximize the chance of compromise while keeping the amount of account lockouts at a minimum. Once they get a match with verified credentials, they gain full access to the account and can launch further attacks.

The key issue here is Basic Auth being an outdated method of authentication that can’t be used in  conjunction with MFA. Instead, credentials are sent in plaintext or base64 encoded form with every request to a server. Microsoft has plans to deprecate it in favor of OAuth 2.0 in September 2025, already having disabled it for most Microsoft 365 services.

What to do if you think you’ve been targeted by the Botnet attack

The following warning was given by SecurityScorecard: “Organizations relying solely on interactive sign-in monitoring are blind to these attacks. Non-interactive sign-ins, commonly used for service-to-service authentication, legacy protocols (e.g., POP, IMAP, SMTP), and automated processes, do not trigger MFA in many configurations.” They offer the following advice to any organizations who believe they’ve been impacted: Organizations should disable Basic Auth in Microsoft 365, block the IP addresses listed in the report, enable CAPs to restrict login attempts and use MFA on all accounts. 

Specops analysis: Defending against password spraying attacks

Darren James, Senior Product Manager at Specops had this to say about the attack: “Password spraying of service accounts rather than users is certainly an interesting and often overlooked attack vector. Service accounts are regularly used to run business critical systems and their passwords are rarely changed. They don’t have any type of 2FA applied and they usually have some elevated privilege depending on their function. This means they’re a good target for attack.

“We often see service accounts on our breached password and duplicate password reports when customers run our free Active Directory auditing tool Specops Password Auditor. These passwords are usually set by the IT admin who is installing the service and then never changed again, and it’s fairly common that the passwords set on these accounts aren’t strong or may have been used on other accounts in the past.

“When we’re discussing the results of the report, admins are always worried about making changes to service accounts as that might cause disruption to a business critical solution, but as this latest attack highlights, that approach does leave companies at risk. Password spray attacks were designed to overcome the disadvantages associated with brute force attacks. These attacks attempt to log into all of the organization’s accounts using a few passwords that are known to be especially common. In a large organization, there is a good chance that at least one account will have one of these weak passwords.

“Business should look to enforce very strong and long passwords on service accounts wherever possible, scan these accounts continuously for breached passwords, enforce the use of password vaults, and randomly generated passwords for these types of account. If possible, they should move to using a managed service account that allows the system to set, and regularly change, the passwords of service accounts without human intervention.”

Block weak passwords and detect compromised credentials

MFA would often be the key defense against password spraying attacks, although in this case attackers were able to evade it due to exploiting Basic Authentication on accounts that can’t use MFA. There are two more key defenses organizations should have in place to combat password spray attacks against both end users and service accounts:

1. Block users from choosing weak passwords: The attackers are relying on databases of known weak and compromised passwords, which are commonly stolen by malware. We recently analyzed 1 billion+ malware-stolen passwords and the most common were base terms or keyboard walks such as ‘qwerty’ or ‘123456.’  Your password policy should block end users from creating weak passwords and instead be enforcing long unique passphrases.  
2. Scan your Active Directory for compromised passwords: Even strong passwords can become compromised through end users reusing works passwords on personal devices, sites, and applications with weak security. You should consider adding tools to scan your Active Directory for passwords known to be involved in breaches. Keep in mind some solutions only scan at reset events, whereas solutions like Specops Password Policy with Breached Password Protection can continuously scan for compromised passwords in your environment. 

Interested in ridding your Active Directory of weak and compromised passwords? Get in touch for a free Specops Password Policy trial today.