Introduction

A sophisticated cyberattack has recently targeted Microsoft 365 (M365) accounts, leveraging a massive botnet of over 130,000 compromised devices to execute large-scale password spraying attacks. This method exploits vulnerabilities in legacy authentication protocols, bypassing traditional security measures like Multi-Factor Authentication (MFA) and Conditional Access Policies (CAPs). The attackers utilize non-interactive sign-ins, a technique often overlooked by security teams, to gain unauthorized access without triggering standard security alerts. (bleepingcomputer.com)

Background Information

Password spraying is a brute-force attack strategy where attackers attempt a small set of commonly used passwords across a large number of accounts, rather than targeting a single account with numerous password attempts. This approach minimizes the risk of account lockouts and detection by security systems. In this campaign, the attackers exploit Basic Authentication (Basic Auth), an outdated method that transmits credentials in plaintext or base64-encoded form, making them susceptible to interception. Despite Microsoft's plans to deprecate Basic Auth in favor of OAuth 2.0 by September 2025, it remains active in many environments, presenting a significant security risk. (bleepingcomputer.com)

Implications and Impact

The scale and stealth of this attack have profound implications for organizations relying on M365:

  • Unauthorized Access: Compromised accounts can lead to data breaches, exposing sensitive information and intellectual property.
  • Operational Disruption: Repeated login attempts may result in account lockouts, disrupting business operations and communication.
  • Lateral Movement: Once inside, attackers can move laterally within the network, escalating privileges and accessing critical systems.
  • Bypassing Security Measures: The use of non-interactive sign-ins allows attackers to evade MFA and CAPs, undermining existing security defenses. (bleepingcomputer.com)

Technical Details

The attackers employ a botnet comprising over 130,000 compromised devices to distribute login attempts across various IP addresses, reducing the likelihood of detection. By targeting non-interactive sign-ins, commonly used for service-to-service authentication and automated processes, they avoid triggering MFA prompts and CAPs. This method is particularly effective against accounts using Basic Auth, which lacks modern security features. The attack infrastructure includes command-and-control servers hosted by U.S.-based SharkTech and proxy services linked to Chinese-affiliated entities, indicating a sophisticated and well-resourced adversary. (bleepingcomputer.com)

Mitigation Strategies

To defend against such attacks, organizations should implement the following measures:

  1. Disable Basic Authentication: Transition to modern authentication methods that support MFA to enhance security.
  2. Monitor Non-Interactive Sign-Ins: Regularly review non-interactive sign-in logs for unusual activity, such as multiple failed login attempts from different IP addresses.
  3. Enforce Strong Password Policies: Implement policies that require complex, unique passwords for all accounts, reducing the effectiveness of password spraying attacks.
  4. Implement Conditional Access Policies: Restrict non-interactive login attempts and enforce MFA for all users, including service accounts.
  5. Educate Users: Conduct regular training to raise awareness about phishing and other social engineering tactics that may be used to obtain credentials. (bleepingcomputer.com)

Conclusion

The recent password spraying attacks targeting M365 accounts underscore the evolving nature of cyber threats and the necessity for organizations to adopt comprehensive security strategies. By proactively addressing vulnerabilities, particularly those associated with legacy authentication methods, and implementing robust monitoring and access controls, organizations can significantly reduce the risk of unauthorized access and data breaches.

References