A botnet comprising over 130,000 compromised devices has been uncovered, launching coordinated password-spraying attacks aimed at Microsoft 365 (M365) accounts. Security experts at SecurityScorecard are investigating potential ties to China-affiliated threat actors, pointing to infrastructure associated with CDS Global Cloud and UCLOUD HK, both with connections to China. The attack is utilizing command-and-control (C2) servers provided by SharkTech, a U.S.-based hosting service previously known for facilitating malicious activities.
David Mound, Threat Intelligence Researcher at SecurityScorecard, emphasized the significance of these findings, highlighting how cyber adversaries continually exploit vulnerabilities in authentication processes. He emphasized the importance of not solely relying on Multi-Factor Authentication (MFA) as a defense mechanism, stressing the need for a comprehensive understanding of non-interactive logins to bolster security measures.
Although password spraying is a familiar tactic in cyberattacks, this particular campaign stands out due to its extensive reach, stealthy execution, and exploitation of a critical security blind spot. Unlike previous incidents attributed to threat groups like Volt Typhoon from China and APT33 from Iran, this botnet employs Non-Interactive Sign-Ins to evade detection by conventional security controls. By targeting Non-Interactive Sign-Ins, which are commonly used for service-to-service authentication, the attackers can operate without triggering MFA defenses or Conditional Access Policies (CAP), even within highly secured environments.
The industries most at risk from this attack include financial services, healthcare, government and defense, technology and SaaS providers, and education and research institutions that heavily rely on Microsoft 365 for their operations. These sectors face specific threats ranging from fraud and insider breaches to espionage and intellectual property theft.
The implications of this attack are far-reaching, with potential ties to nation-state actors, bypassing of robust security measures, and a worrying trend towards similar tactics being employed in past cyber campaigns. Security teams are urged to review non-interactive sign-in logs, rotate compromised credentials, disable legacy authentication protocols, monitor for stolen credentials linked to their organization, and implement conditional access policies to limit non-interactive login attempts.
As Microsoft plans to phase out Basic Authentication completely by September 2025, the urgency for organizations to transition to more secure authentication methods has never been more critical. Failure to address these vulnerabilities promptly could lead to further exploitation on a larger scale, emphasizing the pressing need for proactive cybersecurity measures.