Chinese Botnet Bypasses MFA in Microsoft 365 Attacks

A massive Chinese botnet is targeting Microsoft 365 accounts with large-scale password spraying attacks that can bypass multifactor authentication (MFA), according to SecurityScorecard.

The botnet, which is made up of over 130,000 compromised devices, is systematically attempting to log into M365 globally using stolen credentials from infostealer accounts.

This technique is designed to gain access to sensitive data, emails and collaboration tools across different industries. Attackers can also use compromised accounts to conduct lateral movement activities in a network, such as internal phishing.

Additionally, the botnet can result in business disruption by triggering account lockouts due to repeated failed login attempts.

Sectors that heavily rely on M365 for email, document storage and collaboration are at particular risk. These include financial services, healthcare, government and tech providers.

The researchers believe the ongoing campaign is likely being conducted by a Chinese-affiliated group. This is because the botnet uses infrastructure tied to CDS Global Cloud and UCLOUD HK, providers with operational links to China.

It also leverages command-and-control (C2) servers hosted in SharkTech, a US-based provider that has been observed hosting malicious activity in the past. The time zone for these servers has been configured as “Asia/Shanghai.”

Read now: Microsoft Admits Security Failings Allowed China to Access US Government Emails

Botnet Designed to Bypass MFA and Access Policies

The attackers are able to evade multifactor authentication (MFA) and potentially bypass Conditional Access Policies (CAP) by utilizing a method that causes login events to be logged in the Non-Interactive Sign-in logs.

Non-interactive sign-ins are delegated sign-ins performed by a client app or operating system components on behalf of a user. They do not require the user to provide an authentication factor, and in many configurations, do not trigger MFA.

Organizations that rely solely on interactive sign-in monitoring are “blind” to these attacks, SecurityScorecard noted.

“These attacks are recorded in Non-Interactive Sign-In logs, which are often overlooked by security teams. Attackers exploit this gap to conduct high-volume password spraying attempts undetected. This tactic has been observed across multiple M365 tenants globally, indicating a widespread and ongoing threat,” the researchers said.

Commenting on the research, Boris Cipot, Senior Security Engineer at application security software firm Black Duck, described the new botnet campaign as a “significant evolutionary step forward” compared to previously used password spraying tactics.

“New attack tactics deploy non-interactive sign-ins that are less prone to typical security alerts like failed login. Non-interactive sign-ins include logins over API or automated services, for example. Therefore, this new botnet leverages organizations’ gaps in their authentication monitoring,” Cipot explained.

How to Tackle the Botnet Campaign

The report highlighted a range of recommendations to detect and mitigate the password spraying campaign:

• Reassess access policies to ensure they are based on geolocation and device compliance
• Implement conditional access policies that restrict non-interactive login attempts
• Review Non-Interactive Sign-In logs for unauthorized access attempts
• Disable legacy authentication protocols like Basic Authentication
• Implement Conditional Access Policies that restrict non-interactive login attempts
• Monitor for leaked credentials on underground forums and act swiftly to reset compromised accounts