Massive botnet of 130,000 devices hacks Microsoft 365 accounts by spraying passwords

Security researchers at SecurityScorecard have accused Chinese hackers of carrying out massive, coordinated password spraying attacks on Microsoft 365 accounts. Password spraying is typically blocked by security systems, but this campaign targets non-interactive logins used to authenticate between services, which do not always generate security alerts.

Image source: pexels.com

Password spraying is a hacking technique that involves using a list of commonly used passwords to launch a mass attack on many accounts. Such attacks are often successful because many users protect their accounts with simple passwords that are easy to guess, such as “123456,” “password,” or “qwerty123.” The 2024 world record holder for passwords, “123456,” was found in over 3 million accounts in a study by NordPass. It takes less than a second to crack such a password.

SecurityScorecard cited the attackers’ use of infrastructure associated with CDS Global Cloud and UCLOUD HK, both organizations with operational ties to China, in their allegations. “These findings from our STRIKE Threat Intelligence team confirm that attackers continue to find and exploit gaps in authentication processes,” said SecurityScorecard security researcher David Mound. “Organizations cannot afford to assume that MFA (multi-factor authentication) alone is sufficient protection. Understanding the nuances of non-interactive logins is critical to closing these gaps.”

While password spraying is a well-known technique, this campaign is unique in its scale, stealth, and exploitation of critical security blind spots. Unlike previous attacks associated with Solt Typhoon (China) and APT33 (Iran), this botnet uses non-interactive logins to evade detection and blocking by traditional security measures. These logins are used to authenticate between services and do not always generate security alerts. This allows attackers to operate without enabling MFA or conditional access policies (CAP), even in highly secure environments.

Image source: SecurityScorecard

This attack has implications for many industries, but organizations that rely heavily on Microsoft 365 for email, document storage, and collaboration may be particularly at risk. To avoid becoming a victim of a cyberattack, you should:

• Check non-interactive login logs for unauthorized access attempts.
• Change credentials for all accounts with recent failed login attempts.
• Disable legacy authentication protocols.
• Track stolen credentials associated with their organization in the information thieves’ logs.
• Implement conditional access policies that restrict non-interactive login attempts.

With Microsoft set to completely phase out Basic Authentication by September 2025, these attacks highlight the urgency of moving to more secure authentication methods before they become even more widespread.