77/68 Wednesday, February 26, 2025
Security researchers from SecurityScorecard have discovered that over 130,000 compromised devices are being used in a large-scale password-spraying attack targeting Microsoft 365 accounts. The attackers leverage a technique called “Non-Interactive Sign-Ins”, which bypasses multi-factor authentication (MFA), making it easier to evade security defenses. Additionally, they utilize stolen credentials obtained from information-stealing malware to access enterprise accounts across various industries, including finance, healthcare, government agencies, and educational institutions.
The attackers exploit legacy authentication protocols (Basic Authentication), which transmit credentials without encryption, making them highly vulnerable. They also coordinate attacks using six command-and-control (C2) servers, which are linked to compromised devices via cloud services originating from China. This method enables unauthorized access to corporate emails, documents, and collaboration tools while remaining undetected. Moreover, it increases the risk of phishing attacks and lateral movement within corporate networks.
Experts recommend that organizations using Microsoft 365 enhance security monitoring by integrating non-interactive log event tracking and carefully reviewing login records, especially for suspicious non-interactive sign-ins. Additionally, companies should transition away from Basic Authentication in favor of modern authentication methods that fully support MFA and monitor for unusual data transmissions to mitigate these threats effectively.
Source https://hackread.com/botnet-devices-microsoft-365-password-spraying-attack/
