Spray and Pray: Botnet Takes Aim at Microsoft 365

Researchers at SecurityScoreCard recently discovered a botnet of over 130,000 devices is conducting password spray attacks against Microsoft 365.  Although it hasn’t been confirmed, signs point to the responsible group being from China – the command-and-control servers are hosted in China and set to a timezone for Asia/Shanghai, and some of the hosting infrastructure was traced back to two Chinese providers.  Researches estimate this has been in progress since December of 2024.  

Microsoft has been rolling out required MFA (multi-factor authentication) for some time now, but the attackers specifically targeted non-interactive accounts. These accounts do not require manual login but are used by automated processes, background tasks, and service integrations. Since there is no human interaction, there is no MFA.  

The likely goal of this attack is to gain access to sensitive data, e-mails, and collaboration tools like SharePoint.

Security researchers have called this “the next evolutionary step forward” of password spray attacks; let’s look at the components to see why this attack is particularly dangerous.

Non-interactive sign-ins: Why do we even have these?

At first glance, the idea of having an account that doesn’t require MFA seems really terrible, and on the surface, it is.  But these accounts are used for things that don’t require human interaction – for instance, a service account that automatically logs into SharePoint to retrieve data or a background process making an API call to sync users between Entra ID and another external system. With no human there to enter the OTP or look at the authenticator app, no MFA is possible, but these tasks are critical to business function.  

What exactly is a botnet?

A botnet is a network of compromised devices—computers, servers, and IoT devices—that a hacker controls remotely to perform malicious activities.

IoT devices are particularly attractive targets for hackers looking to build a botnet – they often have weak security controls, they rarely get security updates when vulnerabilities are found, and many times admins are not even aware they exist – one study found that 80% of IT leaders discovered an unknown IoT device on their network.  When they do get compromised and end up as part of a botnet, it’s hard to tell – the only symptom might be an increase in traffic, which could escape regular monitoring. 

The goal of a botnet is large-scale operations; one computer trying to unlock a password with a password spray attack could take years, given a reasonably complex password, but 130,000 devices trying all at once might take just a few hours. 

How does a password spray attack work?

A password spray attack is a type of brute-force attack used to gain unauthorized access to user accounts, systems, or networks. It’s different from a traditional brute-force attack, where an attacker attempts to guess a password by systematically trying all possible combinations. In a password spraying attack, the attacker tries a small number of common passwords or a list of commonly used passwords against a large number of usernames or accounts.

The goal of a password spraying attack is to exploit the fact that many users use weak or easily guessable passwords, such as “password,” “123456,” or “admin.” Instead of trying to guess a specific user’s password, the attacker focuses on gaining access to multiple accounts by trying these common passwords against a broad range of usernames.

What makes this attack particularly egregious is the targeting of the non-interactive accounts.  Most password spray attacks are thwarted by basic security measures like locking out after a certain number of incorrect passwords, but non-interactive accounts don’t usually have this enabled.  Admins would also monitor security logs and set up alerts to be notified if there were suddenly a storm of failed login attempts, but non-interactive logins have their own logs, which are usually ignored.  So as long as the background processes are working (the sharepoint backup, the ID sync as mentioned above), there would be a really good chance no one would ever check to see all these failed logins.  

NAC and Conditional Access to the rescue!

Many of the articles mention that targeting these non-interactive sign-on accounts bypasses conditional access policies, but the truth is that with a good set of policies, you can still protect yourself from attacks like these.

Role-based and location-based access control are key – If you have a machine account that is designed to back up SharePoint or write to a database, those should be the only things it can access, with the least amount of rights to accomplish the job.  This protects you in the event of a breach – the amount of data that can be stolen is extremely limited.  Location-based access will protect you against connections from places you know your employees are not located.  

Next, you can implement endpoint risk assessment policies for all accounts – if the device they are trying to connect from does not have required software, or anti-virus, or is not enrolled in your MDM, it can be an automatic failure.  Or it could go to a quarantine network that has internet access but no access to your internal tools – this allows you to have a BYOD policy for employees but still keep your critical assets safe.  

And finally, the big one – passwordless authentication.  Swapping traditional passwords – and all the headache for users and IT departments they cause – for digital certificates is the best move you can make to keep your company secure. Digital certificates cannot be sprayed, brute forced, guessed, phished, or socially engineered. They can’t be forgotten, mistyped, or shared.  With 80% of all data breaches starting with a compromised password, it’s clear that eliminating passwords significantly reduces your organization’s risk. By adopting passwordless authentication with digital certificates, you remove the weakest link in security—human error—while streamlining user access.

As attacks get more sophisticated, it’s important to have the right tools in place to keep you protected.