Password spraying attack on M365 accounts by botnet with over 130,000 drones

IT researchers have observed a botnet of more than 130,000 infected systems carrying out password spraying attacks on Microsoft 365 accounts. By trying out username/password combinations, it is possible to gain access to accounts that are only simply secured.

According to an analysis by SecurityScorecard, the attackers are particularly targeting non-interactive accounts with so-called basic authentication. This allows them to bypass protection mechanisms such as multifactor authentication (MFA). IT security teams often have a blind spot in this combination. In the attacks, the criminal masterminds rely on access data that Infostealer, for example, has tapped from victims and systematically test it for many accesses.

Non-interactive log-ins as a target

According to the IT researchers, attackers have attacked several Microsoft 365 tenants around the world in this way. This suggests a more widespread and persistent threat. Non-interactive log-ins are usually used for machine-to-machine communication or for outdated protocols such as POP, IMAP and SMTP – for which no MFA is used in many configurations. Organizations that rely solely on login monitoring of interactive log-ins are also blind to this.

SecurityScorecard has discovered direct evidence of this behavior in the non-interactive login logs and advises all organizations with Microsoft 365 tenants to quickly check whether they are also affected. If this is the case, the authors of the analysis recommend resetting the access data for all accounts from the logs.

The IT researchers briefly summarize the risks: The accounts can be taken over by the attackers, and they can thus gain unauthorized access. Business processes could be disrupted or interrupted, and malicious actors could then move further into the network and spread.

Basic Authentication should actually be largely deactivated. Microsoft has driven out insecure logins for Exchange Online, for example, as of October 1, 2022. Private logins on Outlook.com, for example, have no longer been possible with Basic Authentication since September 16, 2024. However, Basic Authentication is still active in some environments, for example because exception rules still apply. According to the analysis, Microsoft is planning to finally shut these down in September 2025, where SMTP-Auth will finally end with Basic Authentication.

The IT security researchers point out that these attacks illustrate, among other things, how important it is to throw out Basic Authentication and rely on more secure login methods, proactively monitor login patterns and set up strong detection mechanisms for password spraying attempts.

Interested parties can download the full analysis after registering their e-mail address.

Password spraying attacks are a frequently observed attack vector. The manufacturer Cisco, for example, reacted to this at the end of last year and integrated better protection mechanisms against brute force and password spraying attacks into the firmware of the ASA and FTD appliances.

(dmk)