Introduction
A sophisticated botnet operation is targeting Microsoft 365 (M365) accounts globally, with a particular focus on organizations in Western countries. This attack exploits vulnerabilities in the authentication process, posing significant risks to various sectors.
Description
A massive botnet [5] [8], consisting of over 130,000 compromised devices [1] [2] [3] [4] [5] [6], is executing large-scale password-spraying attacks against Microsoft 365 (M365) accounts globally [1] [3] [5] [6], particularly targeting organizations in the West [7]. This operation exploits vulnerabilities in the non-interactive sign-in process using Basic Authentication, allowing attackers to bypass traditional Multi-Factor Authentication (MFA) checks and evade detection by security monitoring systems and Conditional Access Policies (CAP). Unlike typical password-spraying attacks that trigger account lockouts [7], this method leverages stolen login credentials obtained from infostealer malware logs, systematically targeting a diverse array of M365 tenants across sectors such as financial services, healthcare [4] [6] [7], government [4] [6] [7], technology [4] [6] [7], and education [4] [7]. By distributing login attempts across multiple IP addresses [3], the attackers minimize account lockouts while maximizing the chances of successful compromises [2] [3].
The botnet’s infrastructure employs proxy-based evasion techniques [5], utilizing command-and-control (C2) servers linked to SharkTech, a US-based provider previously associated with malicious activities [6], as well as other servers connected to Chinese hosting providers like CDS Global Cloud and UCLOUD HK. This sophisticated attack method is characterized by its stealth, as login events are recorded only in non-interactive sign-in logs [2], which do not always trigger security alerts [2] [7], creating a critical blind spot for security teams [2]. The attack poses significant risks [4] [7], including unauthorized access to sensitive information [4], data exfiltration [8], service disruptions from repeated login attempts [4], and the potential for compromised accounts to be used in phishing campaigns or lateral movement within organizations [4].
This widespread threat has been observed across multiple M365 tenants, indicating an ongoing risk that frequently goes unnoticed by security teams [1]. Organizations relying solely on interactive sign-in monitoring are particularly vulnerable to these attacks. Successful breaches can lead to stolen sensitive data [5], account lockouts [1] [2] [3] [5] [6] [7], internal phishing attacks [5] [6], and reduced visibility [5], as many security tools do not track non-interactive sign-ins [5].
Microsoft is in the process of phasing out Basic Authentication [2], with a complete retirement scheduled for September 2025 [2]. Until then [5], the botnet will continue to exploit organizations that have not updated their security settings [5]. Experts warn that organizations still using outdated authentication methods are at risk [5], as merely having MFA is insufficient for defense against these sophisticated attacks [7] [8].
To mitigate risks [1] [2] [3] [4], organizations are advised to prioritize the deprecation of Basic Authentication [1], closely examine non-interactive sign-in logs for unauthorized access attempts [2] [7] [8], and audit background service accounts for vulnerabilities [4]. It is crucial to rotate credentials for accounts flagged in recent sign-in attempts and disable legacy authentication protocols [2]. Additionally, businesses should monitor for stolen credentials linked to their organization in infostealer logs and implement CAPs to restrict non-interactive login attempts [2]. Understanding the nuances of non-interactive logins is essential for closing security gaps [7] [8]. Enhancing security through multi-factor authentication or certificate-based authentication [1], along with deploying access policies based on geolocation and device compliance [1], is essential for protecting against these evolving threats. Security experts also emphasize the importance of securing all authentication pathways and monitoring access logs to further mitigate risks associated with this sophisticated attack landscape.
Conclusion
The ongoing threat from this botnet underscores the critical need for organizations to update their security protocols and move away from outdated authentication methods. As Microsoft phases out Basic Authentication by September 2025 [3], organizations must proactively address vulnerabilities to prevent unauthorized access and data breaches. Implementing robust security measures, such as enhanced authentication protocols and comprehensive monitoring, is essential to safeguard against these sophisticated cyber threats.
References
[1] https://www.forbes.com/sites/daveywinder/2025/02/25/microsoft-password-spray-and-pray-attack-targets-accounts-without-2fa/
[2] https://www.itpro.com/security/cyber-crime/hackers-are-on-a-huge-microsoft-365-password-spraying-spree-heres-what-you-need-to-know
[3] https://informationsecuritybuzz.com/botnet-targets-ms-365-accounts-passwor/
[4] https://hackread.com/botnet-devices-microsoft-365-password-spraying-attack/
[5] https://techweez.com/2025/02/25/massive-botnet-targets-microsoft-365-users-with-password-spraying-attacks/
[6] https://www.infosecurity-magazine.com/news/chinese-botnet-mfa-microsoft/
[7] https://www.techradar.com/pro/security/massive-botnet-is-targeting-microsoft-365-accounts-across-the-world
[8] https://www.computing.co.uk/news/2025/security/microsoft-365-users-targeted-by-password-spraying-botnet
