A recently discovered botnet consisting of more than 130,000 compromised devices is now targeting Microsoft 365 accounts with advanced password-spraying tactics capable of evading traditional detection methods.
Password-spraying is a brute-force cyber-attack where hackers try commonly used passwords to attempt to gain access to multiple accounts. However, with traditional password-spraying campaigns, attackers limit their number of attempts to avoid too many password failures that trigger lockouts. These lockouts generate valuable security alerts that notify defenders and then allow them to block suspicious activity.
However, this new botnet campaign has evolved and now uses non-interactive sign-ins to bypass detection, making these threats much more difficult to identify and stop. “This attack is now using techniques that are a significant step forward as compared to past password-spraying attempts,” said Boris Cipot, Senior Security Engineer at Black Duck, a leading provider of application security solutions. “Non-interactive logins are not as prone to typical security alerts as failed login attempts and can take advantage of gaps organizations may have in their authentication monitoring.”
Since non-interactive sign-ins don’t require real-time input, they can bypass conventional security controls such as multi-factor authentication (MFA) and user behavior analytics (UBA) systems, which rely on detecting anomalies in human login activity.
Security researchers at SecurityScorecard warn that this innovative technique poses a serious risk for companies in a wide range of industries. These include financial services, government and defense, technology and SaaS providers, and education and research institutions since they all tend to be prime targets due to the high value of the data they manage.
Whether it’s financial information, sensitive personal data, medical records, classified government information, software infrastructure, or proprietary research and intellectual property, attackers continue to exploit organizations in these industries, demonstrating the need for more effective security controls.
The Need to Strengthen Authentication Security
As cyber threats become more sophisticated, organizations must adopt a more proactive approach to authentication security, including the following components:
- A zero-trust security model, which assumes that no user or device should be automatically trusted, to protect sensitive systems and data.
- AI-driven threat detection to complement existing security systems and enable cloud-based applications to detect suspicious login behaviors and unauthorized access attempts in real-time.
- MFA, continuous monitoring, and adaptive access controls are used to minimize risk further.
By integrating these strategies, organizations can build stronger defenses against non-interactive password spraying and other increasingly stealthy attacks for the best chance to stay ahead of cyber threats.
Balancing Security and Access
Yet the threat now presents a delicate balancing act for security teams who need to continue to allow automated access while still taking steps to defend against this new threat and bolstering their organization’s overall defenses.
“Non-interactive logins are widespread in Microsoft 365, driven by service accounts, automated tasks, and API integrations,” explained Jason Soroko, Senior Fellow at Sectigo, a provider of comprehensive certificate lifecycle management solutions. “Organizations should do more to secure non-interactive access with conditional access policies, strict credential management, and continuous monitoring, yet do so in a way to thoughtfully avoid disrupting legitimate automated processes.”
Security professionals must take immediate action to mitigate the risks posed by non-interactive password-spraying attacks. These include:
- Analyzing non-interactive sign-in logs to identify any unauthorized log-in attempts.
- Resetting credentials for any accounts that may have been targeted in recent logins.
- Disabling outdated authentication methods to reduce exposure to innovative new attack tactics.
- Using infostealer logs and other tools to track stolen credentials that may be associated with the organization.
- Enforcing conditional access policies to limit and even prevent non-interactive login attempts.
By proactively implementing a comprehensive plan that includes these security measures, organizations can take the right steps to protect themselves from the new botnet threat.
A Wake-Up Call for Stronger Authentication Security
The scale and sophistication of this attack are the latest evidence in the evolving nature of cyber threats and the need for stronger authentication defenses.
“For organizations heavily reliant on Microsoft 365, this attack is a wake-up call,” added Darren Guccione, CEO and Co-founder at Keeper Security, a provider of zero-trust and zero-knowledge cybersecurity software. “With Microsoft phasing out basic authentication in 2025, organizations must act now to close these gaps before attackers scale their operations even further.”
As cyber attackers continue to refine their techniques, organizations in virtually every industry should consider implementing modern authentication strategies and adaptive security measures to defend against evolving attacks and protect their critical systems and data.
