A newly surfaced cybersecurity threat has put over 130,000 devices under the control of a sophisticated botnet, leveraging these compromised endpoints to mount large-scale password spraying attacks against Microsoft 365 accounts. This troubling development, uncovered by SecurityScorecard’s STRIKE Threat Intelligence team, not only puts global organizations on high alert but also surfaces a glaring security flaw in a technology environment that millions rely upon for daily business operations.
Traditional cybersecurity threats often evoke images of phishing scams or indiscriminate malware outbreaks, but the latest threat landscape is more nuanced—and more dangerous—than ever before. The campaign in question distinguishes itself with its extensive scale and, perhaps more alarmingly, its ability to operate under the radar of even well-prepared security teams. Unlike many prior campaigns, the botnet’s operators have constructed an infrastructure that allows them to systematically evade conventional defense mechanisms, such as Multi-Factor Authentication (MFA), and Conditional Access Policies.
The core of the attack lies in exploiting “Non-Interactive Sign-Ins.” These are authentication attempts executed without direct human interaction, typically used for service-to-service communications—think of a background application connecting to a data store, or automated backup software accessing cloud storage. Because these sign-ins are often overlooked in standard security monitoring configurations, attackers can quietly probe organizational defenses, testing username and password combinations without raising customary red flags like account lockouts.
The STRIKE Threat Intelligence team’s detection of this campaign comes at a time when many businesses have, perhaps prematurely, considered MFA to be a panacea for credential-based attacks. The findings serve as a sobering reminder that authentication paradigms are only as secure as their least-monitored pathway.
This dependency brings a dangerous level of risk aggregation. Should attackers gain significant footholds—disrupting communications, stealing IP, or instigating destructive ransomware payloads—the consequences would reverberate far beyond the victim organization. In sectors like healthcare and defense, these attacks have the potential to disrupt critical infrastructure and endanger sensitive national interests.
While researchers stop short of definitive attribution, the geopolitical undertones are unmistakable. This campaign may not have the public profile of the infamous Volt Typhoon or APT33 threat groups, but its characteristics—stealth, scale, and technical sophistication—suggest a well-resourced adversary possibly working with or benefiting from Chinese-affiliated actors.
Attackers leveraging Non-Interactive Sign-Ins can sidestep account lockout triggers, quietly enumerate valid username/password pairs, and even persist access for extended periods before being detected. Moreover, applications using Basic Authentication—despite widespread industry warnings—remain in active use, expanding the attack surface.
Basic Authentication, long recognized as insecure, is still supported by many cloud services and legacy applications. These legacy protocols, foundational to many Non-Interactive Sign-Ins, frequently bypass even the strictest MFA requirements. Until organizations fully transition off outdated protocols, their data and services remain at risk.
To add further complexity, even when Conditional Access Policies are in place, they often target only specific user groups or applications, leaving gaps that attackers can exploit. This fragmented security posture gives attackers an opening to persist, exfiltrate data, and potentially launch more damaging follow-on attacks, such as business email compromise or ransomware deployment.
Cloud environments are uniquely vulnerable because of their centralization and the broad array of client devices and applications that access them. A single weak link—whether a neglected legacy app still using BasicAuth or a misconfigured Conditional Access setting—can create a pathway for attackers to compromise entire business ecosystems.
Offensive innovations in password spraying and similar credential-based attacks are exposing new seams in the patchwork of cloud security practices. The findings from SecurityScorecard’s investigation illustrate how even organizations with so-called “robust” security policies can fall victim if they overlook the subtleties of authentication flow and monitoring.
Still, recurring overlaps with the infrastructure and techniques employed by previously identified state-linked groups suggest the likelihood of advanced persistent threats (APTs) at play. These APTs are well funded, patient, and highly adaptive. Their objectives aren’t always immediate monetary gain—often, they involve long-term espionage, information theft, or pre-positioning for future operations.
This context places a fresh imperative on organizations to consider not just the technical defenses but also the broader operational and geopolitical risks associated with modern cloud infrastructure.
Service accounts, in particular, are seldom subject to the same scrutiny as user accounts. Their credentials, once compromised, can sit unnoticed for months, enabling persistent access. Automated auditing and regular reviews of these account activities, with an emphasis on least-privilege principles, are vital.
Further, organizations must challenge conventional wisdom that assumes user-driven attacks are more dangerous than service-driven ones. As this campaign demonstrates, the real damage often originates in the least-guarded corners of the authentication map.
The rise of Zero Trust architectures offers one pathway forward. By assuming every endpoint and connection is potentially hostile, organizations can begin to move away from implicit trust models that have failed to keep pace with attacker innovation. Fine-grained segmentation, context-aware access, and enforcement of strong authentication for every request are foundational to this evolution.
In practical terms, organizations must inventory every application’s authentication methods, deprecate risky protocols, and implement monitoring tools specifically tuned for service-to-service interactions. Regular penetration testing and red teaming exercises should include non-interactive authentication pathways as a standard part of the threat model.
Blind trust in any one security control is a recipe for disaster. As threat actors probe every seam of the authentication landscape, security teams must keep pace by understanding the nuances of their environment and acting on intelligence, not comforting assumptions.
Education is a crucial part of the solution. Executives, IT architects, and even end-users need to be aware of the realities behind Non-Interactive Sign-Ins, legacy authentication exposures, and the real risk posed by credential harvesting. SecurityScorecard serves as a potent example of a research-driven organization able to bridge the gap between incident response and strategic policy—a model other firms would do well to emulate.
For organizations, the lesson is clear: diligence, adaptability, and a willingness to evolve are critical. Every authentication pathway must be scrutinized, legacy dependencies eliminated, and new defensive measures adopted as the threat landscape evolves.
As September 2025 approaches—and with it the long-overdue retirement of Basic Authentication—companies that move decisively to modernize their authentication architectures and monitor all forms of access will find themselves best prepared to meet the next generation of cloud-centric threats head-on. The stakes have never been higher, and the window for complacency is closing fast.
Source: itbrief.asia Hackers exploit botnet to attack Microsoft 365 accounts
The Anatomy of a Modern Botnet Campaign
Traditional cybersecurity threats often evoke images of phishing scams or indiscriminate malware outbreaks, but the latest threat landscape is more nuanced—and more dangerous—than ever before. The campaign in question distinguishes itself with its extensive scale and, perhaps more alarmingly, its ability to operate under the radar of even well-prepared security teams. Unlike many prior campaigns, the botnet’s operators have constructed an infrastructure that allows them to systematically evade conventional defense mechanisms, such as Multi-Factor Authentication (MFA), and Conditional Access Policies.The core of the attack lies in exploiting “Non-Interactive Sign-Ins.” These are authentication attempts executed without direct human interaction, typically used for service-to-service communications—think of a background application connecting to a data store, or automated backup software accessing cloud storage. Because these sign-ins are often overlooked in standard security monitoring configurations, attackers can quietly probe organizational defenses, testing username and password combinations without raising customary red flags like account lockouts.
Password Spraying: An Evolving Tactic
Password spraying itself is not a novel concept. In broad strokes, it involves methodically testing a select number of common or stolen passwords across a multitude of accounts, aiming to strike a balance between efficacy and stealth. Unlike brute-force attacks that pound individual accounts with countless password guesses—quickly triggering lockouts and alerts—password spraying takes a more measured approach. The real innovation here is the integration of Non-Interactive Sign-In methods, a channel that routinely bypasses many forms of security oversight and, crucially, often circumvents Multi-Factor Authentication.The STRIKE Threat Intelligence team’s detection of this campaign comes at a time when many businesses have, perhaps prematurely, considered MFA to be a panacea for credential-based attacks. The findings serve as a sobering reminder that authentication paradigms are only as secure as their least-monitored pathway.
Scope and Targets: Why Everyone Should Care
The threat does not discriminate. From Financial Services and Insurance giants to Healthcare networks, from Government and Defense contractors to nimble SaaS Providers and sprawling Education and Research Institutions—the scope is enormous. Each vertical presents unique stakes and vulnerabilities but shares a common dependency on Microsoft 365 as a backbone for productivity and collaboration.This dependency brings a dangerous level of risk aggregation. Should attackers gain significant footholds—disrupting communications, stealing IP, or instigating destructive ransomware payloads—the consequences would reverberate far beyond the victim organization. In sectors like healthcare and defense, these attacks have the potential to disrupt critical infrastructure and endanger sensitive national interests.
Infrastructure and Attribution: Shadows from the East
Delving deeper into the infrastructure supporting this campaign, SecurityScorecard’s analysts identified several command-and-control (C2) servers, notably hosted by SharkTech—a U.S. provider already on the radar of cybersecurity circles for enabling malicious activity. But perhaps more worrisome is the evidence pointing toward infrastructure associated with CDS Global Cloud and UCLOUD HK, two entities with confirmed operational ties to China.While researchers stop short of definitive attribution, the geopolitical undertones are unmistakable. This campaign may not have the public profile of the infamous Volt Typhoon or APT33 threat groups, but its characteristics—stealth, scale, and technical sophistication—suggest a well-resourced adversary possibly working with or benefiting from Chinese-affiliated actors.
The Stealth Advantage: Why Detection is So Tricky
Why does this particular campaign evade standard defenses so effectively? The answer lies in the technical nuances of authentication and monitoring. Most organizations configure alerting and response policies around “interactive” logins—instances where a user physically types credentials into a login form. In contrast, many service-to-service connections utilize legacy authentication schemes or rely on automation scripts, making them harder to audit in real-time.Attackers leveraging Non-Interactive Sign-Ins can sidestep account lockout triggers, quietly enumerate valid username/password pairs, and even persist access for extended periods before being detected. Moreover, applications using Basic Authentication—despite widespread industry warnings—remain in active use, expanding the attack surface.
The Hidden Risks: Why MFA Alone Isn’t Enough
In an environment where MFA is often heralded as the gold standard for authentication security, this campaign reveals a deeply uncomfortable truth: Not all authentication vectors are equally protected. Users—and even IT administrators—may reasonably assume that their multi-layered defenses are sufficient, but this isn’t always the case.Basic Authentication, long recognized as insecure, is still supported by many cloud services and legacy applications. These legacy protocols, foundational to many Non-Interactive Sign-Ins, frequently bypass even the strictest MFA requirements. Until organizations fully transition off outdated protocols, their data and services remain at risk.
To add further complexity, even when Conditional Access Policies are in place, they often target only specific user groups or applications, leaving gaps that attackers can exploit. This fragmented security posture gives attackers an opening to persist, exfiltrate data, and potentially launch more damaging follow-on attacks, such as business email compromise or ransomware deployment.
Industry Reaction and Strategic Recommendations
SecurityScorecard’s STRIKE team, known for coupling unique threat intelligence with practical incident response and third-party supply chain risk expertise, has articulated several critical action items for organizations determined to harden their security posture:- Review Non-Interactive Sign-In logs: Security professionals should expand their audit practices to include all forms of authentication, not just user-driven activity. Unexplained sign-ins from unfamiliar endpoints or excessive service-to-service authentications warrant immediate investigation.
- Rotate credentials promptly: Upon discovering potentially compromised accounts, rotate credentials and reset passwords to prevent attackers from reusing stolen authentication data.
- Disable legacy protocols: Basic Authentication should be permanently decommissioned wherever possible. Organizations must inventory applications still reliant on legacy protocols and plan migrations to secure alternatives.
- Monitor for leaked credentials: Given the widespread use of password spraying, regularly cross-referencing employee accounts against leaked credential databases is essential.
- Tighten Conditional Access Policies: Administrators should consider restrictions on non-interactive authentication, limiting access as narrowly as operationally feasible.
- Prepare for change: Microsoft’s committed timeline to phase out Basic Authentication by September 2025 provides a critical deadline for organizations to modernize their authentication landscape.
The Bigger Picture: Cloud Authentication in Transition
The rapid expansion of cloud productivity platforms like Microsoft 365 has transformed how enterprises operate, enabling seamless remote work, global collaboration, and near-instantaneous access to data. However, this convenience also introduces a matrix of security challenges, sharply highlighted by the surge in advanced botnet-driven attacks.Cloud environments are uniquely vulnerable because of their centralization and the broad array of client devices and applications that access them. A single weak link—whether a neglected legacy app still using BasicAuth or a misconfigured Conditional Access setting—can create a pathway for attackers to compromise entire business ecosystems.
Offensive innovations in password spraying and similar credential-based attacks are exposing new seams in the patchwork of cloud security practices. The findings from SecurityScorecard’s investigation illustrate how even organizations with so-called “robust” security policies can fall victim if they overlook the subtleties of authentication flow and monitoring.
Geopolitics and Attribution: The Challenge of the Shadow Adversary
The infrastructure associations uncovered by SecurityScorecard underscore a persistent challenge facing defenders: attribution. While evidence links components of this botnet to Chinese-affiliated hosting platforms, actors have become expert at obfuscating their origins, using “bulletproof” hosting providers and proxy networks to muddy investigative trails.Still, recurring overlaps with the infrastructure and techniques employed by previously identified state-linked groups suggest the likelihood of advanced persistent threats (APTs) at play. These APTs are well funded, patient, and highly adaptive. Their objectives aren’t always immediate monetary gain—often, they involve long-term espionage, information theft, or pre-positioning for future operations.
This context places a fresh imperative on organizations to consider not just the technical defenses but also the broader operational and geopolitical risks associated with modern cloud infrastructure.
Organizational Blind Spots: Visibility and Accountability
A recurring lesson from this campaign is that organizations often underestimate the complexity and diversity of their authentication landscape. Many enterprises assume that having enabled MFA and a suite of Conditional Access policies is enough. Yet, shadow IT, legacy system dependencies, and the sheer multitude of service accounts and automated workflows create blind spots.Service accounts, in particular, are seldom subject to the same scrutiny as user accounts. Their credentials, once compromised, can sit unnoticed for months, enabling persistent access. Automated auditing and regular reviews of these account activities, with an emphasis on least-privilege principles, are vital.
Further, organizations must challenge conventional wisdom that assumes user-driven attacks are more dangerous than service-driven ones. As this campaign demonstrates, the real damage often originates in the least-guarded corners of the authentication map.
Future-Proofing: Toward a More Secure Authentication Ecosystem
Looking ahead, the phasing out of Basic Authentication by Microsoft is both overdue and crucial. But technology alone cannot deliver security. The corporate response must blend technical upgrades with cultural shifts—training staff to recognize nonstandard authentication patterns, empowering SOC analysts with more granular visibility, and holding application owners accountable for legacy dependencies.The rise of Zero Trust architectures offers one pathway forward. By assuming every endpoint and connection is potentially hostile, organizations can begin to move away from implicit trust models that have failed to keep pace with attacker innovation. Fine-grained segmentation, context-aware access, and enforcement of strong authentication for every request are foundational to this evolution.
In practical terms, organizations must inventory every application’s authentication methods, deprecate risky protocols, and implement monitoring tools specifically tuned for service-to-service interactions. Regular penetration testing and red teaming exercises should include non-interactive authentication pathways as a standard part of the threat model.
Commentary: Bridging the Knowledge Gap
This episode is a microcosm of broader challenges facing IT and security leaders in the cloud era. Vendors, administrators, and users alike have been swept up in a narrative that positions cloud migration and MFA as definitive security milestones. Yet today’s threat environment—epitomized by this Chinese-connected botnet—demands more nuanced understanding and constant vigilance.Blind trust in any one security control is a recipe for disaster. As threat actors probe every seam of the authentication landscape, security teams must keep pace by understanding the nuances of their environment and acting on intelligence, not comforting assumptions.
Education is a crucial part of the solution. Executives, IT architects, and even end-users need to be aware of the realities behind Non-Interactive Sign-Ins, legacy authentication exposures, and the real risk posed by credential harvesting. SecurityScorecard serves as a potent example of a research-driven organization able to bridge the gap between incident response and strategic policy—a model other firms would do well to emulate.
Conclusion: A Wake-Up Call for the Cloud Era
SecurityScorecard’s uncovering of a botnet-driven campaign against Microsoft 365 is more than just another entry in a long list of credential-based threats. It lays bare the shifting battle lines in cloud security, where even the best-defended environments are only as secure as their least-monitored interfaces.For organizations, the lesson is clear: diligence, adaptability, and a willingness to evolve are critical. Every authentication pathway must be scrutinized, legacy dependencies eliminated, and new defensive measures adopted as the threat landscape evolves.
As September 2025 approaches—and with it the long-overdue retirement of Basic Authentication—companies that move decisively to modernize their authentication architectures and monitor all forms of access will find themselves best prepared to meet the next generation of cloud-centric threats head-on. The stakes have never been higher, and the window for complacency is closing fast.
Source: itbrief.asia Hackers exploit botnet to attack Microsoft 365 accounts
Last edited:
