Specialists at Securityscorecard have reported that a botnet comprising 130,000 compromised devices is conducting attacks through Password Spraying on Microsoft 365 accounts globally. The attack targets the outdated Basic Authentication mechanism, which allows attackers to bypass multifactor authentication (MFA).
Cybercriminals are using stolen accounting data in non-interactive Basic Auth attempts to gain unauthorized access, enabling them to circumvent security measures.
Experts have warned that organizations relying solely on monitoring interactive logins remain vulnerable, as non-interactive logins, commonly used for service connections and outdated protocols like POP, IMAP, and SMTP, often do not require MFA confirmation. While Microsoft is gradually phasing out Basic Auth, some corporate environments still use it, making them attractive targets for attacks.
Attackers exploit Basic Auth to gain access to accounts with commonly used or leaked passwords, bypassing MFA when successful and making the attack difficult to detect by evading Conditional Access Policies.
Compromised accounts can be used to access services that do not support MFA or for phishing attacks. Signs of attack can be identified in Entra ID logs, including increased non-interactive login attempts, multiple unsuccessful login tries from different IP addresses, and references to “Fasthttp” in the logs.
Researchers suggest that the botnet may have connections to groups in China, given the widespread distribution of login attempts across numerous IP addresses, making it challenging to detect and block the botnet.
The botnet operates through 6 C2 servers hosted by the American provider Shark Tech, with traffic passing through UCLOUD HK (Hong Kong) and CDS Global Clud (China). The C2 servers run on Apache Zookeeper and Kafka, with the system clock set to Asia/Shanghai timezone. Uptime logs indicate that the botnet has been active since December 2024.
It is recommended that organizations disable Basic Authentication in Microsoft 365, block the IP addresses identified in the report, implement conditional access policies to limit login attempts, enable MFA for all accounts, and monitor suspicious login activities in Entra ID logs.