Source: Help Net Security Author: Help Net Security URL: https://www.helpnetsecurity.com/2025/02/24/botnet-hits-microsoft-365-accounts/

ONE SENTENCE SUMMARY:

A massive botnet of 130,000 devices is launching stealthy password-spraying attacks on Microsoft 365 accounts, bypassing traditional security defenses.

MAIN POINTS:

1. A newly discovered botnet is conducting large-scale password-spraying attacks on Microsoft 365 accounts.
2. SecurityScorecard researchers suspect links to China-affiliated threat actors based on hosting infrastructure evidence.
3. The attack exploits Non-Interactive Sign-Ins to evade traditional security controls and MFA defenses.
4. Targeted industries include financial services, healthcare, government, technology, and education.
5. The botnet uses command-and-control servers hosted by SharkTech, known for previous malicious activity.
6. Non-Interactive Sign-Ins allow attackers to avoid triggering account lockouts or security alerts.
7. Organizations with strong security measures may still be vulnerable due to gaps in authentication logging.
8. Potential nation-state involvement raises concerns about espionage and data exfiltration risks.
9. Security teams should review logs, rotate credentials, disable legacy authentication, and monitor for stolen credentials.
10. Microsoft plans to retire Basic Authentication by September 2025, increasing urgency for stronger authentication methods.

TAKEAWAYS:

1. Password-spraying attacks are evolving to bypass traditional security measures like MFA and Conditional Access Policies.
2. Non-Interactive Sign-Ins present a critical security blind spot that attackers are actively exploiting.
3. Organizations relying on Microsoft 365 must enhance authentication monitoring and security controls.
4. Nation-state actors may be leveraging this attack for espionage and data theft.
5. Transitioning away from legacy authentication methods is crucial before Microsoft’s 2025 deadline.