Massive Botnet Exploits Microsoft 365 Weaknesses in Large-Scale Attacks

By /

Listen to this Post

A Growing Cyber Threat

A massive botnet comprising over 130,000 compromised devices is actively conducting password-spraying attacks against Microsoft 365 (M365) accounts worldwide. These attacks exploit outdated authentication methods, particularly Basic Authentication (Basic Auth), to bypass Multi-Factor Authentication (MFA) and gain unauthorized access.

According to a report by SecurityScorecard, the attackers are using credentials stolen by infostealer malware to automate large-scale attacks. The botnet’s strategy involves non-interactive sign-ins, which do not trigger MFA in many security configurations, making it easier for cybercriminals to gain access undetected.

Basic Authentication, an outdated method where credentials are transmitted in plain text or base64 encoding, remains enabled in some environments. Despite Microsoft’s plans to deprecate it by September 2025, attackers continue exploiting it to gain entry into systems without being flagged.

The botnet, suspected to have links to Chinese threat actors, operates through six command-and-control (C2) servers hosted by Shark Tech in the U.S., while routing traffic through Hong Kong-based UCLOUD HK and China-affiliated CDS Global Cloud. The infrastructure is managed using Apache Zookeeper and Kafka, with system time zones set to Asia/Shanghai, indicating possible Chinese origins.

Security researchers warn that organizations relying solely on interactive login monitoring are vulnerable. Indicators of compromise (IoCs) include increased login attempts for non-interactive sign-ins, multiple failed logins from different IPs, and the use of the “fasthttp” user agent in authentication logs.

To protect against such attacks, organizations are urged to disable Basic Auth, implement Conditional Access Policies (CAPs), monitor Entra ID logs, and enforce MFA across all accounts.

What Undercode Say:

The discovery of this massive botnet raises serious concerns about the security of Microsoft 365 accounts and the continued reliance on outdated authentication mechanisms. The attack highlights multiple cybersecurity gaps that organizations need to address urgently.

1. The Persistence of Basic Authentication

Despite

2. Non-Interactive Logins: A Blind Spot

Most security monitoring solutions focus on interactive logins, leaving non-interactive authentication largely unmonitored. This attack method allows cybercriminals to conduct stealthy intrusions without triggering alerts. Organizations must update their monitoring strategies to track these login attempts more effectively.

3. The Power of Large-Scale Botnets

By distributing login attempts across 130,000 compromised devices, attackers evade detection by avoiding high failure rates from single IPs. This method of “low and slow” attacks makes traditional security measures, such as blocking a handful of malicious IPs, ineffective.

4. Cloud-Based Security Challenges

Cloud services like Microsoft 365 are prime targets because they house critical business data and are accessible from anywhere. Attackers exploit misconfigurations, legacy authentication settings, and gaps in cloud security policies to infiltrate accounts.

5. The Role of Chinese Cyber Threats

While attribution remains uncertain, the infrastructure used by the botnet suggests ties to China-based entities. This aligns with past incidents where Chinese-affiliated cyber groups have targeted Western organizations for espionage and financial gain.

6. FastHTTP Go Library and Automated Attacks

The use of the FastHTTP Go library for these attacks suggests a shift towards more efficient and automated attack methods. By leveraging high-performance networking libraries, attackers can scale their operations while maintaining stealth.

7.

Microsoft’s decision to phase out Basic Authentication by September 2025 is a step in the right direction, but given the active exploitation, some argue that this change should happen sooner. Until then, organizations that have not proactively disabled Basic Auth remain highly vulnerable.

8. Steps Organizations Must Take Immediately

  • Disable Basic Authentication: Organizations should manually disable Basic Auth if it is still active in their M365 environments.
  • Enforce Multi-Factor Authentication: Ensure MFA is enabled for all accounts, including service accounts.
  • Implement Conditional Access Policies (CAPs): Restrict access based on IP addresses, geographic location, and device compliance.
  • Monitor Entra ID Logs: Look for non-interactive login attempts and patterns matching password spray attacks.
  • Block Known Malicious IPs: Security teams should review the list of IP addresses used by the botnet and restrict access accordingly.

Final Thoughts

This botnet attack serves as a stark reminder of the evolving cyber threats targeting cloud-based services. Organizations must take immediate action to secure their Microsoft 365 environments and eliminate outdated authentication methods before they become the next victim.

References:

Reported By: https://www.bleepingcomputer.com/news/security/botnet-targets-basic-auth-in-microsoft-365-password-spray-attacks/
Extra Source Hub:
https://www.facebook.com
Wikipedia: https://www.wikipedia.org
Undercode AI

Image Source:

OpenAI: https://craiyon.com
Undercode AI DI v2Featured Image

Explore More: