Red open padlock showing password spraying attacks on Microsoft 365 accounts

Microsoft 365 Accounts Being Hit With Hard-to-Detect Wave of Password-spraying Attacks

A new report from Security Scorecard details a stealthy but massive cyber threat campaign against Microsoft 365 accounts. The threat actor, believed to be one of the Chinese state-backed hacking groups, is using a botnet to pump out password-spraying attacks that target outdated “basic authentication” protocols.

There does not appear to be a particular target for this campaign as of yet, with the hackers abusing the presence of “Non-Interactive Sign-In” logs at any organization that has overlooked them. The basic authentication method is scheduled to be deprecated by Microsoft, but not until September of this year at the earliest. In the meantime, a botnet comprising an estimated 130,000 compromised devices is being leveraged against targets.

Password-spraying attacks backed by massive botnet

The researchers do not specify which of the Chinese state-backed teams is behind the password-spraying attack, and there are now estimated to be about two dozen active groups comprising tens of thousands of personnel in total. But Microsoft 365 accounts are an unsurprising target at this point, with various of these groups having put a special focus on Redmond’s products in recent years.

In this case, it does not appear to be a specific attempt to infiltrate critical infrastructure or government targets. Instead, the Chinese hackers are making use of a common vulnerability while it is still available. It is not a software vulnerability, but rather a type of log often overlooked by security teams. Non-Interactive Sign-In logs are frequently used to note attempts on service-to-service authentication, legacy protocols (including email), and automated processes, and security personnel do not necessarily actively monitor them. The Chinese hackers are able to run a massive but stealthy campaign of password-spraying attacks in this way, targeting accounts that require only basic authentication and do not have MFA enabled. If an organization only monitors interactive sign-ins, as many apparently do, they will essentially be blind to this attack campaign.

This basic authentication option is gradually being deprecated by Microsoft and is set to be fully gone sometime during or after September 2025, but the approach remains viable until then. In the interim, any Microsoft 365 environments are fair game for attackers. The Chinese group is a particular threat to leverage this approach due to its botnet and its command-and-control infrastructure of six servers hosted in the US and a large system of proxies hosted by UCLOUD.HK and CDS Global Cloud.

The researchers attribute the attack campaign to a Chinese team based on the size of the botnet, the sophisticated use of Apache Zookeeper as a coordination framework at the scale required to manage something of this size, and the “Asia/Shanghai” time zone being set for the US servers being used. The proxy providers have also been previously linked to Chinese hacking groups. The botnet has existed since at least December 2024, with scattered reports of password-spraying attacks on Microsoft 365 accounts coming in since then.

Darren James, Senior Product Manager at Specops Software, expands on why these types of vulnerable accounts continue to linger: “This is certainly an interesting and often overlooked attack vector, password spraying of service accounts rather than users. Service Accounts are regularly used to run business critical systems, their passwords are rarely changed, don’t have any type of 2FA applied and they usually have some elevated privilege depending on their function. Meaning they are a good target for attack. We often see service accounts on our breached password and duplicate password reports when customers run our free tool Specops Password Auditor. These passwords are usually set by the IT admin who is installing the service and then never changed again, and it’s fairly common that the passwords set on these accounts aren’t strong or may have been used on other accounts in the past. When we are discussing the results of the report, admins are always worried about making changes to service accounts as that might cause disruption to a business critical solution, but as this latest attack highlights, that approach does leave companies at risk. Businesses should look to enforce very strong and long passwords on service accounts wherever possible, scan these accounts continuously for breached passwords, enforce the use of password vaults and randomly generated passwords for these types of accounts, or if possible, move to using a managed service account that allows the system to set, and regularly change, the passwords of service accounts without human intervention.”

Compromise of Microsoft 365 accounts may be going unnoticed

Defeating the password-spraying attacks is usually a simple matter of rotating any credentials for Microsoft 365 accounts that appear in these logs, but if they go unnoticed the attackers can simply test logins indefinitely until they hit upon a winning combination. The credentials that the attackers try are taken automatically from infostealer malware logs fed by other breaches and dumps obtainable via the dark web.

Cyber criminals often rent time on massive botnets to facilitate password-spraying attacks, but the state-backed Chinese hacking groups have been observed “rolling their own” for some time. A September 2024 joint cybersecurity advisory from the FBI and NSA warns that these groups actively target internet-connected devices known to have poor or no security such as home or small office routers, webcams, network-attached storage and various home and office smart devices to build their massive botnets. The hackers have previously created even bigger botnets, up to 260,000 devices strong. They have also been observed using Mirai malware, a common way to string botnets together that has had its code publicly available since 2016.

Security Scorecard advises that cybersecurity teams should look to Entra ID logs for signs of these password-spraying attacks, which can reveal clues that point in that direction such as increased non-interactive login attempts and multiple failed attempts coming from different IPs. Another telltale sign is the presence of the “fasthttp” user agent in authentication logs. Security firm SpearTip previously warned in January that Microsoft 365 accounts were being targeted via similar use of the FastHTTP Go library but it is not clear if this is part of the same attack campaign.

Boris Cipot, Senior Security Engineer at Black Duck, adds: “To avoid brute-force protections, attackers limit the password testing on user accounts to avoid lockout policies. In the past, this meant attacks lasted for a long period of time using automation tools. To avoid other monitoring systems, attacks are committed during working hours. However, new attack tactics deploy non-interactive sign-ins which are not as prone to typical security alerts like failed login. Non-interactive sign ins include logins over API or automated services, for example. Therefore, this new botnet leverages gaps that organizations have in their authentication monitoring. To lower the risk of such attacks, organizations need to deploy access policies based on geo location and device compliance. Additionally, all failed login attempts need to be monitored and acted on. To make login more secure, Multi Factor Authentication (MFA) or Certificate-based Authentication provides an additional level of security. When talking about monitoring, it is also important to have intelligence involved. Systems that offer AI can deploy behavioral analysis and identify stealth attacks. However, tracking the IP and deploying rate-limiting can help to lower the success rate of such attacks.”

Darren Guccione, CEO and Co-Founder at Keeper Security, additionally notes the utility of password authentication managers: “For organizations heavily reliant on Microsoft 365 accounts, this attack is a wake-up call. Robust cybersecurity isn’t just about having MFA – it’s about securing every authentication pathway. A password manager enforces strong, unique credentials while minimizing exposure to credential-based attacks. For non-interactive authentication, Privileged Access Management (PAM) is essential, ensuring least-privilege access, regular credential rotation and real-time monitoring of service accounts. Security leaders must take a proactive stance by reviewing access logs, limiting unnecessary non-interactive sign-ins and refining authentication policies. With Microsoft phasing out Basic Authentication in 2025, organizations must act now to close these gaps before attackers scale their operations even further.”

 

Senior Correspondent at CPO Magazine