Botnet Targets M365 Authentication Blind Spots

A sophisticated botnet comprising over 130,000 compromised devices has been discovered launching coordinated password-spraying attacks against Microsoft 365 accounts, revealing critical vulnerabilities in widely used authentication systems.

SecurityScorecard researchers have traced this campaign to threat actors with ties to China after identifying infrastructure connections with CDS Global Cloud and UCLOUD HK entities—organizations known for their operational links to China. Meanwhile, the attackers are orchestrating their activities through command-and-control servers hosted by U.S.-based SharkTech, a service provider previously associated with malicious cyber operations.

What sets this attack apart from traditional password-spraying techniques is its exploitation of Non-Interactive Sign-Ins, a mechanism typically used for service-to-service authentication. Unlike standard login attempts that can trigger account lockouts and security alerts, these non-interactive authentication processes often operate outside the protective scope of Multi-Factor Authentication or Conditional Access Policies, allowing attackers to operate undetected even in environments with otherwise robust security measures.

Industry-Wide Implications

The scale and sophistication of this attack campaign signals a concerning shift toward targeting overlooked vulnerabilities in non-interactive login processes. Organizations across multiple sectors—particularly financial services, healthcare, government, technology, and education—face significant risks from this new attack vector.

David Mound from the STRIKE Threat Intelligence team at SecurityScorecard emphasizes that traditional security measures are no longer sufficient: "This campaign demonstrates that relying solely on MFA is inadequate in today's threat landscape. Organizations must now scrutinize and secure authentication processes previously considered low-risk."

Recommended Security Measures

Security experts recommend several immediate actions for organizations to protect themselves:

?Review non-interactive sign-in logs for unauthorized access attempts

?Rotate credentials for any accounts flagged in recent sign-in attempts

?Disable legacy authentication protocols like Basic Authentication

?Monitor for stolen credentials linked to their organization in infostealer logs

?Implement conditional access policies that restrict non-interactive login attempts

With Microsoft scheduled to fully retire Basic Authentication by September 2025, this attack campaign highlights the urgency for organizations to transition to more secure authentication methods before these vulnerabilities can be exploited on an even larger scale.

Contact STACK Cybersecurity at [email protected] or (734) 744-5300 to protect your company from attacks like this one.