Overview:

A sophisticated botnet comprised of over 130,000 compromised devices is orchestrating large-scale password spraying attacks against Microsoft 365 accounts worldwide, according to recent findings from security researchers.

This campaign is particularly concerning because it employs techniques designed to bypass multi-factor (MFA) protections.

What to Know:

The botnet systematically attempts to access M365 environments using credentials harvested from infostealer malware. Upon obtaining initial access, threat actors can leverage compromised accounts to conduct lateral movement within networks. One subsequent risk is internally launched phishing campaigns, which can prove particularly difficult to detect.

Organizations should also remain aware of the fact that this botnet campaign can lead to account lockouts due to failed authentication attempts. In turn, security and IT teams may have more to manage, which is problematic due to the fact that these teams are often already stretched thin.

Industries that are reliant on Microsoft 365 for core business operations face the highest levels of risk. Financial services, healthcare, government groups and technology providers are potential targets.

Technical Sophistication:

What makes this botnet particularly dangerous is its ability to evade multi-factor authentication and to potentially bypass Conditional Access Policies (CAP). The attackers accomplish this by utilizing a method that causes login events to be logged in the non-interactive sign-in logs, rather than standard authentication channels.

Non-interactive sign-ins function as delegated authentications performed by client applications or operating system components on behalf of users. Critically, these sign-in attempts often don’t require users to provide authentication factors and frequently don’t trigger MFA protections in standard configurations.

Organizations with certain security set-ups – those that rely solely on monitoring interactive sign-in events – are unable to identify these kinds of attacks as they arise.

Recommended Measures:

To protect your organization from this sophisticated threat, security teams may wish to implement the following measures:

1. Reassess access policies as to incorporate strict controls. These may be based on geolocation and device compliance status, particularly for non-interactive authentication events.

2. Implement granular conditional access policies. These should restrict and monitor non-interactive login attempts from unexpected locations or non-compliant devices.

3. Expand security monitoring to include a comprehensive review of non-interactive sign-in logs, looking for patterns that might indicate unauthorized access attempts.

4. Disable legacy authentication protocols, including Basic Authentication, which frequently provides attackers with paths around modern security controls.

5. Create a system for monitoring credential leaks on underground forums. Be ready to implement rapid response procedures to reset potentially compromised accounts.


More Information:

This advanced botnet campaign demonstrates how threat actors are continuing to evolve their techniques as to circumvent the most effective security controls, like multi-factor authentication.

The advanced nature of this threat highlights the need for comprehensive security solutions that can address both current and emerging threats to your email environment.

If you’re ready to elevate your organization’s email and workspace security posture, schedule a demo or reach out to your local representative.