Massive Botnet Targets Microsoft 365 Passwords: Here’s What You Need to Know

A massive botnet of over 130,000 compromised devices is conducting password-spray attacks against Microsoft 365 (M365) accounts worldwide. These attacks target basic authentication to evade multi-factor authentication (MFA) protections. The attackers leverage credentials stolen by infostealer malware to target accounts on a large scale.

Non-Interactive Sign-Ins and Basic Auth

The attacks rely on non-interactive sign-ins using Basic Authentication (Basic Auth) to bypass MFA protections and gain unauthorized access without triggering security alerts. Organizations relying solely on interactive sign-in monitoring are blind to these attacks. Non-interactive sign-ins, commonly used for service-to-service authentication, legacy protocols (e.g., POP, IMAP, SMTP), and automated processes, do not trigger MFA in many configurations.

What is Basic Auth?

Basic Auth is an outdated authentication method where a user’s credentials are sent in plaintext or base64 encoded form with every request to a server. It lacks modern security features like MFA and token-based authentication. Microsoft plans to deprecate Basic Auth in favor of OAuth 2.0 in September 2025. However, Basic Auth is still enabled in some environments, making it a prime target for attackers.

The Botnet’s Methodology

The newly discovered botnet uses Basic Auth attempts targeting a large number of accounts with common or leaked passwords. Since Basic Auth is non-interactive, when there’s a match with the tried credentials, the attackers aren’t prompted for MFA and very often aren’t restricted by Conditional Access Policies (CAP). This allows the attackers to quietly verify account credentials. Once credentials are verified, they can be used to access legacy services that do not require MFA or in more sophisticated phishing attacks to bypass the security feature and gain full access to the account.

Detecting the Attacks

SecurityScorecard highlights that signs of the password-spray attacks may be visible in Entra ID logs. These logs will show increased login attempts for non-interactive logins, multiple failed login attempts from different IPs, and the presence of the “fasthttp” user agent in the authentication logs.

Attribution and Infrastructure

The botnet operators are likely Chinese-affiliated, although there’s no clear or confident attribution yet. The botnet operates through six primary command and control (C2) servers hosted by U.S. provider Shark Tech. It proxies traffic through Hong Kong-based UCLOUD HK and China-linked CDS Global Cloud. The C2 servers run Apache Zookeeper and use Kafka to manage botnet operations. The system timezone on the C2 servers is set to Asia/Shanghai, while their uptimes indicate the botnet has been active since at least December 2024.

Scale and Mitigation

The botnet uses over 130,000 compromised devices to spread out login attempts across different IP addresses. This helps evade getting flagged for suspicious activity and blocked. Organizations should disable Basic Auth in Microsoft 365, block the IP addresses listed in the report, enable CAPs to restrict login attempts, and use MFA on all accounts.

Conclusion

The botnet targeting Basic Auth in Microsoft 365 password spray attacks poses a significant threat to organizations worldwide. By leveraging outdated authentication methods and non-interactive sign-ins, attackers can bypass MFA protections and gain unauthorized access to accounts. Organizations must take proactive measures to disable Basic Auth, monitor login patterns, and implement strong detection mechanisms to mitigate the risks associated with these attacks.

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it