A recently discovered botnet of over 130,000 compromised devices is launching coordinated password-spraying attacks against Microsoft 365 (M365) accounts.
Security researchers at SecurityScorecard are examining possible connections to China-affiliated threat actors, citing evidence of infrastructure linked to CDS Global Cloud and UCLOUD HK, which have operational ties to China. The attack utilizes command-and-control (C2) servers hosted by SharkTech, a U.S.-based provider previously identified for hosting malicious activity.
“These findings from our STRIKE Threat Intelligence team reinforce how adversaries continue to find and exploit gaps in authentication processes,” said David Mound, Threat Intelligence Researcher at SecurityScorecard. “Organizations cannot afford to assume that MFA alone is a sufficient defense. Understanding the nuances of non-interactive logins is crucial to closing these gaps.”
Is this a new attack?
While password spraying is a well-known technique, this campaign is notable for its scale, stealth, and exploitation of a critical security blind spot. Unlike previous attacks linked to Volt Typhoon (China) and APT33 (Iran), this botnet leverages Non-Interactive Sign-Ins to avoid detection by traditional security controls.
Typically, password spraying results in lockouts that alert security teams. However, this campaign targets explicitly Non-Interactive Sign-Ins, which are used for service-to-service authentication and do not always generate security alerts. This enables attackers to operate without triggering MFA defenses or Conditional Access Policies (CAP), even in highly secured environments.
Who is at risk?
This attack has implications for many industries, but organizations relying heavily on Microsoft 365 for email, document storage, and collaboration may be at particular risk. Key affected sectors include:
- Financial services and insurance: High-value targets for fraud, insider threats, and regulatory concerns.
- Healthcare: Risks of unauthorized access to patient records and disruption of operations.
- Government and defense: Possible espionage and data exfiltration concerns.
- Technology and SaaS providers: Threat actors could compromise accounts to launch supply chain attacks.
- Education and research institutions: Universities and research labs remain a frequent target for intellectual property theft.
Why it matters
- Potential nation-state ties: Infrastructure and tactics suggest links to an advanced actor, with Chinese-affiliated hosting providers being used in the attack.
- Bypassing defenses: Even companies with strong security postures may be vulnerable due to gaps in how these authentication attempts are logged.
- Growing trend: Similar tactics have been observed in past campaigns, particularly targeting government agencies, critical infrastructure, and large enterprises.
What security teams need to do now
- Review non-interactive sign-in logs for unauthorized access attempts.
- Rotate credentials for any accounts flagged in recent sign-in attempts.
- Disable legacy authentication protocols like Basic Authentication.
- Monitor for stolen credentials linked to their organization in infostealer logs.
- Implement conditional access policies that restrict non-interactive login attempts.
With Microsoft set to fully retire Basic Authentication by September 2025, these attacks underscore the urgency of transitioning to more secure authentication methods before they are exploited on an even larger scale.