A botnet of more than 130,000 compromised devices is conducting a large-scale password-spray cyberattack, targeting Microsoft 365 accounts through a basic authentication feature.

The attacks have been recorded in non-interactive sign-in logs, something that the researchers at Security Scorecard note is often overlooked by security teams. Threat actors are able to exploit this feature by conducting high-volume password spraying attempts while going virtually undetected.

Non-interactive sign-ins are completed on behalf of the user, performed by a client app or operating system components, and do not require the user to provide any authentication. Rather, the user is automically authenticated using previously established credentials.

Non-interactive logins are widespread in Microsoft 365, driven by service accounts, automated tasks, and API integrations, said Jason Soroko, senior fellow at Sectigo, in an emailed statement to Dark Reading.

They often represent a significant portion of overall authentication events, as background processes routinely access resources without direct user input.

This tactic separates itself from traditional password spray attacks, which often result in account lockouts, prompting investigation by security teams. By exploiting non-interactive sign-ins, threat actors are given more time to infiltrate a system before the alarms are ever sound, and typically succeed against even the most robust security environments.

This tactic has been observed by the researchers across multiple M365 tenants across the world.

Stay updated with SOC News for cutting-edge security innovations and expert industry insights! 

Source : https://www.darkreading.com/cyberattacks-data-breaches/microsoft-365-accounts-sprayed-mega-botnet