Researchers revealed a botnet of 130,000 compromised devices is executing a significant password spraying attack targeting Microsoft 365 accounts. This operation exploits the non-interactive sign-in process, which uses basic authentication that does not require user interaction and can therefore avoid triggering multi-factor authentication (MFA). Through analysis, a STRIKE team discovered suspicious sign-ins linked to specific servers deemed as command and control (C2), indicating the use of stolen credentials from infostealer logs. This systemic approach aims to compromise user accounts while minimizing lockout risks.
A botnet comprised of 130,000 compromised devices has been executing a substantial password spraying campaign against Microsoft 365 accounts, exploiting non-interactive sign-in processes.
The attackers are leveraging basic authentication methods that send user credentials in plain text, allowing them to bypass multi-factor authentication (MFA) requirements.
Collection
[
|
...
]