M365 Password Spraying Attack via Botnet

Microsoft 365 accounts are facing an extensive password spraying attack by a Chinese botnet, which possesses the ability to bypass multifactor authentication (MFA). This botnet comprises over 130,000 compromised devices, utilizing stolen credentials from infostealer accounts and then systematically attempting to log into M365 accounts globally. Malicious actors gaining access to M365 accounts can be highly detrimental to an organization for numerous reasons. Once access is obtained, cybercriminals can freely access sensitive information such as emails and data. This also enables them to move laterally within the network and can also include internal phishing campaigns. Business disruptions can also occur due to repeated failed logins.

As previously mentioned, this botnet can bypass MFA and potentially Conditional Access Policies (CAP) by causing login events to be logged in the Non-Interactive Sign-in logs. Non-Interactive Sign-in logs capture sign-ins performed by Operating Systems components or Client Applications on behalf of the users. These sign-ins often do not require MFA, and many configurations did not trigger MFA for the sign-ins. Consequently, if an organization only monitors interactive sign-ins, these attacks will go unnoticed because they are recorded in Non-Interactive Sign-in logs. The botnet also leverages command-and-control (C2) servers hosted in SharkTech. This is a US-based provider that, in the past, has been observed hosting malicious activity. The time zone showing for the servers is configured for “Asia/Shanghai”, leading to the belief that these attacks are being conducted by a Chinese-affiliated group.

Combat the problem

Below you will find a list of recommendations to help detect and mitigate the password spraying campaign. Please note, this is not an exhaustive list of recommendations, and you should also refer to your internal policies and procedure for guidance.

• Reassessing your access policies will help ensure they are device compliant, and geolocation based.
• Restrict non-interactive login attempts by implementing conditional access policies
• Monitor and review the non-interactive sign-in logs for any unauthorized access attempts
• Monitor underground forums for leaked credentials and quickly reset any compromised credentials
• Disable legacy authentical protocols still enabled.

DefenseStorm Recommendations

As always, DefenseStorm recommends the following practices to help secure your environment:

• Continued internal training for phishing campaigns
• Block threat indicators at their respective controls
• Keep all systems and software updated to the latest patched versions to best protect against all known security vulnerabilities
• Maintain a strong password policy
• Enable multi-factor authentication
• Regularly back up data, air gap, and password backup copies offline
• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location
• Use app hardening
• Restrict administrative access