CALL 0121 289 4477

Call 0121 289 4477

Money Back Guarantee
6-Month Trial Period

Plain English IT Support
No jargon, no tricky words

Trustworthy & Reliable
4.9* Google Reviews

Happy Clients
99% Customer Satisfaction

A massive botnet, linked to a Chinese threat actor, has been caught launching large-scale password spraying attacks on Microsoft 365 accounts. SecurityScorecard, a cybersecurity firm, broke the news on Monday, revealing that over 130,000 compromised devices are being used to power these attacks.

 

How the Attack Works

The attackers rely on non-interactive sign-ins with Basic Authentication—a sneaky method that lets them bypass Multi-Factor Authentication (MFA) in many setups. These sign-ins are typically used for older protocols like POP, IMAP, and SMTP, as well as service-to-service authentication. Unfortunately, Basic Authentication still lingers in some environments, making it an easy target for hackers.

Microsoft is phasing out Basic Authentication, but in the meantime, this botnet is taking full advantage of it. And because these password spraying attempts show up in logs that security teams don’t usually monitor, they’re flying under the radar.

 

What’s the Endgame?

SecurityScorecard tracked the botnet’s activity and found several command and control (C2) servers based in the U.S.. Over a four-hour period, they observed 130,000 devices communicating with these servers.

Here’s what the attackers are doing:

  1. Stealing credentials – They collect login details using information-stealer malware.
  2. Testing them on Microsoft 365 accounts – If the stolen credentials work, they’re in.
  3. Exploiting access – Once inside, they can steal sensitive data, disrupt business operations, and even move laterally within an organization.

 

While SecurityScorecard believes this botnet is controlled by a Chinese threat group, their investigation is still ongoing. Microsoft, in an October 2024 report, also flagged multiple Chinese threat actors using password spray attacks from a similar botnet, tracked under names like CovertNetwork-1658, Xlogin, and Quad7.

 

Keep your Microsoft Device & Account Safe

  • Disable Basic Authentication – Microsoft is already working to deprecate it, but don’t wait.
  • Monitor non-interactive sign-in logs – These attacks are stealthy, so keeping an eye on unusual login attempts is key.
  • Use MFA wherever possible – Even though it doesn’t always trigger for these attacks, having strong authentication in place is still a must.
  • Stay updated on threat intelligence – Knowing what’s out there helps you stay one step ahead.

 

We hope you’ve liked this blog and that you’ll stick around to see our future releases. We cover everything from recent IT News to Knowledgebase articles. Thanks for reading!