Summary: A massive botnet comprising over 130,000 compromised devices is conducting widespread password-spray attacks against Microsoft 365 accounts, exploiting Basic Authentication to evade multi-factor authentication. This method allows attackers to use stolen credentials without triggering security alerts, posing significant risks to organizations relying on outdated authentication mechanisms. SecurityScorecard suggests that organizations should take immediate steps to enhance their security posture by disabling Basic Auth and implementing robust login monitoring practices.
Affected: Microsoft 365 accounts
Keypoints :
- Over 130,000 devices are used in the botnet, targeting M365 accounts through Basic Auth to bypass MFA.
- Basic Authentication transmits credentials in plaintext, making it vulnerable to attacks.
- Signs of the attacks can be detected in Entra ID logs, showing increased failed login attempts and non-interactive sign-ins.
- The botnet is likely linked to Chinese-affiliated threat actors and operates through U.S. and Hong Kong-based command and control servers.
- Organizations are advised to disable Basic Auth and enhance security measures such as MFA and Conditional Access Policies.