Massive Botnet Attack Targets Microsoft 365: 130,000 Devices Exploiting Legacy Authentication

by | Feb 25, 2025 | News

Post Views: 65

Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Reading Time: 3 Minutes

Overview

A sophisticated botnet-powered cyber attack is putting Microsoft 365 users at risk. Security researchers at SecurityScorecard have reported that over 130,000 compromised devices are being used to launch coordinated password-spraying attacks against Microsoft 365 accounts.

By bypassing MFA and exploiting legacy authentication, attackers are gaining unauthorized access to sensitive emails, documents, and collaboration tools, posing a serious risk to financial services, healthcare, government, and tech firms.

How the Attack Works

🔹 Non-Interactive Sign-Ins

Unlike traditional brute-force attacks, this method does not trigger account lockouts or security alerts. Non-interactive sign-ins are typically used for automated services and don’t require direct user interaction—allowing attackers to remain undetected.

🔹 Basic Authentication Exploitation

Attackers are leveraging legacy authentication protocols, which send credentials without encryption. This allows them to bypass modern authentication and MFA, exposing accounts to compromise.

🔹 Command and Control Coordination

Security researchers have identified six command-and-control (C2) servers orchestrating this attack. These servers:
✅ Communicate with thousands of infected devices
✅ Use proxy services from well-known cloud providers linked to China
✅ Have open ports for botnet management and attack coordination

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses

Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

The Risks for Microsoft 365 Users

Unauthorized Access: Attackers can steal sensitive emails, documents, and collaboration data
Account Lockouts: Repeated login attempts may disrupt business operations
Lateral Movement & Phishing: Compromised accounts can be used for further attacks inside organizations

How Organizations Can Protect Themselves

✅ Audit Non-Interactive Logins: Monitor for suspicious non-interactive logins in Microsoft 365 logs
✅ Disable Basic Authentication: Transition to modern authentication methods that fully support MFA
✅ Strengthen Conditional Access Policies: Restrict non-interactive logins and enforce stronger authentication
✅ Monitor for C2 Activity: Watch for abnormal login patterns and IPs linked to botnet activity

Trending: Offensive Security Tool: HExHTTP

Expert Insight: Jason Soroko on Securing Non-Interactive Logins

“Non-interactive logins are widespread in Microsoft 365, driven by service accounts, automated tasks, and API integrations. They often represent a significant portion of authentication events.”
“To secure these logins, organizations should implement certificates, managed identities, strict credential management, and continuous monitoring.”

Microsoft is planning to fully retire certain Basic Authentication protocols later this year, making now the best time to strengthen security against these attacks.

With this large-scale botnet attack already in motion, organizations must act quickly to protect their Microsoft 365 environments from compromise.

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: hackread.com

Source Link