A new botnet-powered cyber attack is putting Microsoft 365 users at risk. Security researchers at SecurityScorecard have reported that over 130,000 compromised devices are being used to launch coordinated password-spraying attacks against Microsoft 365 accounts.
What’s Happening?
Instead of relying on the usual login mechanisms that trigger alerts through repeated failed attempts, the attackers are using non-interactive sign-ins for their campaigns. This method is normally meant for automated processes or background services and does not invoke the usual MFA checks. As a result, suspicious activities may go unnoticed by security monitoring systems that focus on standard user log-ins.
What’s more, attackers are making systematic attempts using stolen credentials from infostealer logs. Their approach targets a wide range of Microsoft 365 tenants, affecting organizations from financial services, healthcare, government, technology firms, and educational institutions.
How the Attack Works
- Non-Interactive Sign-Ins: The attackers perform sign-in attempts that do not trigger immediate account lockouts or alerts. Since these log-ins are not interactive, they often escape the notice of standard monitoring tools.
- Basic Authentication Abuse: By exploiting legacy Basic Authentication protocols, attackers send user credentials without encryption. This leaves accounts more exposed compared to modern authentication methods.
- Command and Control Coordination: Evidence shows that attackers are coordinating their efforts through six command-and-control (C2) servers. These servers communicate with thousands of infected devices and are supported by proxy services from well-known cloud providers with ties to China. Analysis of the network traffic has revealed several open ports on these servers, which are likely used for tasks such as managing the botnet and sending instructions to the compromised devices.
According to SecurityScorecard’s report, this is concerning for organizations relying on Microsoft 365, as they face multiple risks. Unauthorized account access can expose sensitive emails, documents, and collaboration tools to attackers. Service disruptions may occur due to repeated login attempts, leading to account lockouts that interrupt daily operations.
Additionally, once in control, cybercriminals can misuse compromised accounts for phishing campaigns or move laterally within the organization, further escalating security threats. Because the attack exploits non-interactive sign-ins, teams that monitor just the usual interactive log-in events might miss these suspicious activities. Updating security monitoring to include non-interactive log events is an important step for organizations using Microsoft 365.
Security teams are encouraged to review sign-in logs carefully. Paying attention to non-interactive log entries and suspicious login attempts can help spot this kind of unwanted activity.
Organizations should audit background service accounts by identifying those using Basic Authentication and updating any exposed credentials found in non-interactive sign-in logs. It’s also crucial to review authentication methods and transition from legacy protocols to modern authentication practices that fully support MFA.
Additionally, monitoring for unusual traffic, such as abnormal login patterns or connections from IP addresses associated with command and control servers, can help detect and mitigate potential security threats.
With Microsoft planning to fully retire certain Basic Authentication protocols later this year, now is a good time for organizations to strengthen their protection against these kinds of covert attacks.
Expert Comment
Jason Soroko, Senior Fellow at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM), offers valuable insights into securing non-interactive logins in Microsoft 365.
“Non-interactive logins are widespread in Microsoft 365, driven by service accounts, automated tasks, and API integrations,” Soroko explains. “They often represent a significant portion of overall authentication events, as background processes routinely access resources without direct user input.”
Unlike interactive user authentication, Multi-Factor Authentication (MFA) isn’t typically applicable to non-interactive logins. “Instead, these automated logins should use alternative secure mechanisms such as certificates, or other forms of non-shared managed identities,” Soroko advises. “Organizations should better secure non-interactive access with conditional access policies, strict credential management, and continuous monitoring.”
Microsoft 365 offers configurations to restrict non-interactive logins. “Administrators can enforce stronger authentication via conditional access policies and block legacy protocols that facilitate these silent sign-ins,” Soroko notes. “However, such restrictions must be applied thoughtfully to avoid disrupting legitimate automated processes.”