Microsoft Password Spray And Pray Attack Targets Accounts Without 2FA

The Password Spray And Pray Attack

A botnet that comprises at least 130,000 devices that have been compromised by what is “likely a Chinese-affiliated group,” according to the SecurityScorecard researchers who have analyzed the threat, is conducting a large-scale password hacking campaign against Microsoft 365 accounts.

In order to bypass login protections such as 2FA, the attack targets non-interactive sign-ins with Basic Authentication, something long since deprecated by Microsoft precisely because of insecurity issues. “This tactic has been observed across multiple M365 tenants globally,” the researchers said, “indicating a widespread and ongoing threat.” As the attacks are recorded in those non-interactive sign-in logs, they are often overlooked by security teams, creating a security gap that enables the threat actors to conduct such high-volume spray and pray password hacking campaigns largely undetected.

Mitigating The Microsoft 365 Password Spraying Attacks

The SecurityScorecard report recommends that the botnet activity here should prompt organizations to prioritize deprecating basic authentication, proactively monitor login patterns and implement strong detection mechanisms for such password-spraying attacks. “The use of non-interactive sign-in logs to evade MFA and possibly Conditional Access Policies,” the researchers said, “underscores the need for organizations to reassess their authentication strategies.”

Microsoft’s Statement on the Attack

“We encourage customers to always follow security best practices, make sure they have deployed the latest security updates, and enable multi-factor authentication,” a Microsoft spokesperson said.

Expert Insights

“Organizations heavily reliant on Microsoft 365 should take this attack as a wake-up call,” said Darren Guccione, CEO at Keeper Security. “This attack is a reminder that robust cybersecurity isn’t just about having multi-factor authentication, it’s about securing every authentication pathway. A password manager enforces strong, unique credentials while minimizing exposure to credential-based attacks. For non-interactive authentication, Privileged Access Management is essential, ensuring least-privilege access, regular credential rotation, and real-time monitoring of service accounts.”

Jason Soroko, a senior fellow at Sectigo, added that organizations should better secure non-interactive access with conditional access policies, strict credential management, and continuous monitoring. “Microsoft 365 can restrict non-interactive logins through configuration,” Soroko said. “Administrators can enforce stronger authentication via conditional access policies and block legacy protocols that facilitate these silent sign-ins. However, such restrictions must be applied thoughtfully to avoid disrupting legitimate automated processes.”

Boris Cipot, senior security engineer at Black Duck, stressed the importance of deploying access policies based on geolocation and device compliance. “To avoid brute-force protections, attackers limit the password testing on user accounts to prevent lockout policies,” Cipot said. “To lower the risk of such attacks, organizations must deploy access policies based on geolocation and device compliance. To make login more secure, multi-factor authentication or certificate-based authentication provides an additional level of security.”

Conclusion

The recent password spray and pray attack campaign targeting Microsoft 365 accounts is a wake-up call for organizations to prioritize deprecating basic authentication, proactively monitor login patterns, and implement strong detection mechanisms. By following best practices, deploying access policies, and utilizing multi-factor authentication, organizations can minimize the risk of such attacks.

FAQs

Q: What is the latest update on the Microsoft 365 password spray and pray attack?
A: The attack is ongoing and has been observed across multiple M365 tenants globally.

Q: What is the impact of the attack?
A: The attack allows threat actors to bypass login protections such as 2FA and conduct high-volume spray and pray password hacking campaigns largely undetected.

Q: What can organizations do to mitigate the attack?
A: Organizations should prioritize deprecating basic authentication, proactively monitor login patterns, and implement strong detection mechanisms. They should also consider deploying access policies, utilizing multi-factor authentication, and utilizing password managers.