A botnet made up of more than 130,000 compromised devices is conducting large-scale password-spraying attacks against M365 accounts, exploiting non-interactive sign-ins with Basic Authentication.
This method lets malicious actors bypass modern login protections, evade multi-factor authentication (MFA) enforcement, and remain undetected by security teams.
Leveraging Purloined Credentials
Malefactors are leveraging stolen credentials from infostealer logs to systematically target M365 accounts on a global scale. These attacks are recorded in Non-Interactive Sign-In logs, an area frequently overlooked by security teams. They exploit this gap to launch high-volume password spraying attempts without triggering security alerts.
Non-interactive sign-ins are often used for service-to-service authentication, legacy protocols such as POP, IMAP, and SMTP, and automated processes. In many configurations, they don’t prompt MFA, which is why they are a compelling vector for attackers.
The continued use of Basic Authentication, despite Microsoft’s ongoing deprecation efforts, only adds to the risk by enabling credentials to be transmitted in plaintext.
Microsoft has been phasing out Basic Authentication, with full retirement of SMTP AUTH scheduled for September this year, however, the ongoing exploitation of this mechanism highlights the immediate threat entities face.
A Combination of TTPs
The campaign is believed to be linked to a Chinese-affiliated threat group, though attribution is still ongoing.
The criminals use a combination of tactics, techniques, and procedures (TTPs) that include password spraying, the abuse of non-interactive sign-ins, the exploitation of Basic Authentication, the use of stolen credentials, and proxy-based evasion.
When it comes to their infrastructure, they have six C2 servers hosted in the US and depend heavily on proxies hosted by UCLOUD.HK and CDS Global Cloud. According to the researchers, a four-hour snapshot showed over 130,000 compromised devices communicating with said servers.
The botnet systematically uses stolen credentials from infostealer logs across various M365 accounts. By distributing login attempts across multiple IP addresses, the bad actors limit account lockouts yet maximze the probability of successful account compromise.
A Host of Dangers
Entities relying on interactive sign-in monitoring alone are at particular risk of these attacks. The impact of this campaign extends beyond the initial account compromise:
- Threat actors may gain control over sensitive emails, documents, and collaboration tools.
- Repeated login attempts can lead to account lockouts, affecting operational continuity.
- Compromised accounts could be used for internal phishing, further infiltration, or launching secondary attacks.
- Non-interactive logins allow attackers to bypass MFA enforcement in many configurations.
- Depending on implementation, attackers may circumvent CAP mechanisms, further reducing visibility and response effectiveness.
A Critical Weakness in Authentication Security
This botnet campaign exposes a critical weakness in authentication security, says Darren Guccione, CEO and Co-Founder at Keeper Security. “Attackers are bypassing multi-factor authentication (MFA) and Conditional Access Policies by exploiting non-interactive sign-ins, which rely on stored credentials rather than user-driven authentication. Unlike traditional password spraying, this technique avoids triggering security alerts, allowing adversaries to operate undetected, even in well-secured environments.”
Guccione says for firms heavily reliant on Microsoft 365, this attack is a wake-up call. “Robust cybersecurity isn’t just about having MFA – it’s about securing every authentication pathway. A password manager enforces strong, unique credentials while minimizing exposure to credential-based attacks.”
For non-interactive authentication, Privileged Access Management (PAM) is essential to ensure least-privilege access, regular credential rotation and real-time monitoring of service accounts, , Guccione says.
“Security leaders must take a proactive stance by reviewing access logs, limiting unnecessary non-interactive sign-ins, and refining authentication policies. With Microsoft phasing out Basic Authentication in 2025, organizations must act now to close these gaps before attackers scale their operations even further.
Access Policies Based on Geo Location
As attackers refine their methods to slipe through conventional security nets, businesses must proactively monitor and secure their authentication mechanisms to mitigate the risk of account compromise.
These latest botnet attack tactics are a significant evolutionary step forward compared to previously used password spraying tactics, says Boris Cipot, Senior Security Engineer at Black Duck. “Password spraying attacks involve using commonly used passwords, such as “password123” or “nimda” for example, on several accounts. The passwords are usually collected from Credential Dumps, which attackers access from the Dark Web.”
Cipot says to avoid brute-force protections, malefactors limit the password testing on user accounts to avoid lockout policies, which, in the past, meant attacks lasted for a long period of time using automation tools, and to avoid other monitoring systems, attacks wer committed during working hours.
“However, new attack tactics deploy non-interactive sign-ins which are not as prone to typical security alerts like failed login. Non-interactive sign-ins include logins over API or automated services, for example. Therefore, this new botnet leverages gaps that organizations have in their authentication monitoring.”
To lower the risk of these attacks, Cipot adds that businesses need to deploy access policies based on geolocation and device compliance. “Additionally, all failed login attempts need to be monitored and acted on. To make login more secure, MFA or Certificate-based Authentication provides an additional level of security. When talking about monitoring, it is also important to have intelligence involved. Systems that offer AI can deploy behavioral analysis and identify stealth attacks. However, tracking the IP and deploying rate-limiting can help to lower the success rate of such attacks.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.