Imagine waking up to find your Microsoft 365 account compromised. Not because you had a weak password, but because cybercriminals found a way to bypass multi-factor authentication (MFA) entirely. That’s what is happening.
A massive botnet, made up of over 130,000 compromised devices, is running large-scale password spraying attacks against Microsoft 365 users worldwide. By exploiting a security blind spot in non-interactive sign-ins and basic authentication, these attackers are slipping past security defenses undetected.
How Are Hackers Breaking Into Microsoft 365 Accounts?
This is not your typical brute-force attack. Instead of guessing passwords randomly, the attackers are using stolen login credentials from infostealer malware logs. They then attempt logins using non-interactive sign-ins, which don’t require user input and don’t often trigger MFA prompts.
Non-interactive sign-ins are commonly used for:
- Service-to-service authentication.
- Legacy email protocols (POP, IMAP, SMTP).
- Automated processes.
Since these sign-ins don’t always enforce MFA, hackers can use basic authentication to get in; no extra verification is needed. Despite Microsoft working to phase out Basic Auth, many organizations still have it enabled, giving attackers an easy backdoor.
Cybersecurity researchers suspect that this campaign is linked to a Chinese-affiliated threat group, though investigations are still ongoing.
These criminals aren’t just using stolen credentials; they’ve built an entire attack infrastructure to cover their tracks:
- Password spraying: Systematically trying stolen login details across thousands of accounts.
Proxy-based evasion: Distributing attacks across different IP addresses to avoid detection. - Command-and-Control (C2) servers: Six servers, all based in the US, are directing these attacks.
Massive botnet: Over 130,000 hijacked devices are communicating with these C2 servers.
A four-hour snapshot of botnet activity showed these devices aggressively trying to break into accounts worldwide, without triggering security alerts.
If your organization relies only on interactive sign-in monitoring, this attack will go unnoticed. A successful breach can lead to:
- Stolen sensitive data: Emails, documents, and collaboration tools compromised.
- Account lockouts: Repeated login attempts causing downtime and frustration.
- Internal phishing: Attackers using breached accounts to launch secondary attacks.
- Bypassing MFA: No verification prompt means no extra layer of protection.
- Reduced visibility: Many security tools don’t track non-interactive sign-ins.
How to Protect Your Microsoft 365 Accounts
Hackers are exploiting gaps in the authentication security, but you don’t have to be their next victim. Here’s how to defend against this attack:
- Disable basic authentication: Microsoft is retiring it soon, but don’t wait; turn it off now.
Monitor Non-Interactive Sign-Ins: Set up alerts for unusual logins and activity. - Enforce MFA Everywhere: Even for service accounts and automated processes.
Use Privileged Access Management (PAM): Limit service account permissions and enforce credential rotation. - Strengthen Conditional Access Policies: Restrict logins based on location, risk level, and device type.
Educate Security Teams: Awareness is key. Make sure your IT team knows about this attack.
Darren Guccione, CEO of Keeper Security, warns that this attack is a wake-up call for businesses still relying on outdated authentication methods.
“Attackers are bypassing MFA by abusing non-interactive sign-ins and stolen credentials. Securing authentication pathways is critical; just having MFA isn’t enough.”
Microsoft plans to fully retire Basic Authentication by 2025, but until then, this botnet will continue to exploit organizations that haven’t updated their security settings.
