A vast botnet of over 130,000 compromised devices is now attacking Microsoft 365 accounts worldwide. A botnet is a network of computing devices that have been surreptitiously taken over by hackers and are being controlled remotely without the owners’ knowledge.
Microsoft 365 accounts are suffering from ‘password spray attacks’ by the botnet. This involves mass attempts to use large numbers of common passwords to infiltrate users’ Microsoft accounts, targeting basic authentication procedures and thereby bypassing multi-factor authentication.
“Organizations relying solely on interactive sign-in monitoring are blind to these attacks…Basic Authentication, still enabled in some environments, allows credentials to be transmitted in plain form, making it a prime target for attackers,” reports cybersecurity company SecurityScorecard.
The botnet has been active since December 2024. According to SecurityScorecard, the operators of the botnet are likely to be Chinese-affiliated, as it proxies traffic through Hong Kong-based UCLOUD HK and China-linked CDS Global Cloud. The system timezone on the servers the botnet uses is also set to Asia/Shanghai.
Wake-up call for companies using Microsoft 365
The technique used by the hackers avoids triggering security alerts and is being seen as a wake-up call for any organization that uses Microsoft 365, as the current botnet campaign has exposed a critical weakness in authentication security. Companies are advised to step up their multi-factor authentication protocols, after first having identified if any Microsoft 365 accounts used by staff have been compromised.
Botnet attacks of all kinds are on the rise globally. For example, many are designed to attack ‘dumb’ devices such as security cameras which are now routinely connected to the internet, commonly known as the Internet of Things (IoT).
The growing menace of botnet attacks is also thought to be a result of the gradual shift from, desktop computers, and laptops to smartphones. This year, there are estimated to be almost five billion smartphone users worldwide. Many of these users also have access to those more traditional digital devices, which are often provided by their employers. But as many applications used for business and personal tasks are now available on pocketable smartphones, the other computers often have unused data capacity. This makes it unlikely that the users would have any knowledge that their devices are being sneakily used by cyber criminals and cyber-terrorists’
