Massive Password Spray Attack Campaign Targets Microsoft 365 Accounts
A Chinese-affiliated botnet of over 130,000 devices is launching a stealthy password spray attack on Microsoft 365 accounts.
Published: Feb 26, 2025
Key Takeaways:
- A Chinese botnet of over 130,000 compromised devices to launch password spray attacks on Microsoft 365 accounts with outdated authentication protections.
- The attackers leverage non-interactive sign-ins to gain unauthorized access.
- Organizations are advised to act now by disabling outdated authentication methods.
Cybersecurity researchers have uncovered a large-scale password spray attack exploiting outdated Basic authentication protections in Microsoft 365 accounts. Operated by a Chinese-affiliated group, the botnet harnesses over 130,000 compromised devices to infiltrate organizations and steal sensitive data.
What is a password spray attack?
A password spray attack is a type of brute force attack where a threat actor tries a single common password against several different accounts. Traditional password spray attacks often lead to account lockouts that occur when multiple failed login attempts are made on a single account. Account lockouts can alert security teams to investigate any suspicious activities.
According to the SecurityScorecard researchers, the attack is considered stealthy because the password spraying attempts are recorded in non-interactive sign-in logs, which are often overlooked by security teams. The non-interactive sign-in logs are logs that record sign-in attempts that don’t involve direct user interaction, such as automated processes or background services.
Essentially, the threat actors exploit non-interactive sign-ins to successfully compromise Microsoft 365 accounts. The hackers can then steal sensitive data, disrupt business operations, as well as move laterally within the targeted organization. The researchers observed that this tactic has been used to breach multiple Microsoft 365 tenants worldwide.
Microsoft plans to permanently remove support for Basic authentication with Client Submission (SMTP AUTH) in September 2025. However, the company warned that these cyberattacks pose an immediate threat.
How to mitigate Microsoft 365 password spray attacks?
To mitigate these password spray attacks, the researchers advise that administrators should take several security measures to boost security within their organizations. It’s recommended to stop using Basic authentication because it’s more vulnerable to cyberattacks. Administrators must also proactively monitor login patterns to spot any unusual activity.
Lastly, organizations should implement strong detection mechanisms to detect and block password-spraying attacks. The report also suggests that administrators need to reassess their authentication strategies.