There are two undeniable truths in the world of cybersecurity: Microsoft is a prime target for hackers, and two-factor authentication is a hurdle they hate to encounter. A newly reported password spray and pray attack campaign exploits both these truths by only targeting Microsoft 365 accounts that are still using now deprecated basic authentication protections. Here’s what is happening and the steps your organization needs to take to mitigate the risk.
The Password Spray And Pray Attack
A botnet that comprises at least 130,000 devices that have been compromised by what is “likely a Chinese-affiliated group,” according to the SecurityScorecard researchers who have analyzed the threat, is conducting a large-scale password hacking campaign against Microsoft 365 accounts.
In order to bypass login protections such as 2FA, the attack targets non-interactive sign-ins with Basic Authentication, something long since deprecated by Microsoft precisely because of insecurity issues. “This tactic has been observed across multiple M365 tenants globally,” the researchers said, “indicating a widespread and ongoing threat.” As the attacks are recorded in those non-interactive sign-in logs, they are often overlooked by security teams, creating a security gap that enables the threat actors to conduct such high-volume spray and pray password hacking campaigns largely undetected.
“Non-interactive sign-ins, commonly used for service-to-service authentication, legacy protocols and automated processes,” SecurityScorecard said, do not trigger 2FA in many configurations. The problem being that basic authentication is still enabled in some environments which means that passwords are transmitted in plain text.
While Microsoft has been deprecating basic authentication, it won’t be until Sept. 2025 that it is fully retired, the researchers said. “Despite the ongoing deprecation, the behavior described in this report presents an immediate threat.”
Mitigating The Microsoft 365 Password Spraying Attacks
The SecurityScorecard report recommends that the botnet activity here should prompt organizations to prioritize deprecating basic authentication, proactively monitor login patterns and implement strong detection mechanisms for such password-spraying attacks. “The use of non-interactive sign-in logs to evade MFA and possibly Conditional Access Policies,” the researchers said, “underscores the need for organizations to reassess their authentication strategies.”
“The passwords are usually collected from credential dumps, which attackers access from the Dark Web,” Boris Cipot, senior security engineer at Black Duck, said; “To avoid brute-force protections, attackers limit the password testing on user accounts to prevent lockout policies.”
To lower the risk of such attacks, Cipot said, organizations must deploy access policies based on geolocation and device compliance. “To make login more secure,” Cipot concluded, “multi-factor authentication or certificate-based authentication provides an additional level of security.” So, if you don’t want the hacker’s password prayers to be answered, you know what to do.
