Botnet looks for quiet ways to try stolen logins in Microsoft 365 environments

Cybersecurity researchers say a large botnet-driven campaign poses a threat to Microsoft 365 environments that still use an authentication process that the tech giant has been phasing out in recent years. 

The attackers are employing a botnet of 130,000 compromised devices for “large-scale password spraying attacks” at Microsoft 365 setups that still use “non-interactive sign-ins with Basic Authentication,” according to a report from SecurityScorecard.

Non-interactive sign-ins happen when a user automatically connects to services with credentials that were already stored because of some previous authentication. In some Microsoft 365 environments, non-interactive sign-ins can happen with Basic Authentication — or just a stored username and password — SecurityScorecard notes.

That’s where the botnet does its work, taking login credentials stolen elsewhere and trying them, in large amounts, against potentially vulnerable Microsoft 365 setups, the report says.

Microsoft has been working to end Basic Authentication capabilities for various technologies, but at least one — the SMTP standard for email — will have them in place until September, according to a post from the company last year. 

SecurityScorecard says the password-spraying campaign’s technique essentially “bypasses modern login protections and evades MFA [multifactor authentication] enforcement, creating a critical blind spot for security teams.”

The researchers are urging security teams to pay close attention to non-interactive sign-in logs, “which are often overlooked,” for evidence of the illicit activity. If affected, administrators should immediately “rotate credentials belonging to any organization accounts in the logs.”

The attackers are likely “Chinese-affiliated,” the report says, citing activity tied to China-based cloud services, but “attribution is ongoing.”