Rising Threats Targeting Microsoft Office 365 Users

A sophisticated botnet attack is targeting Microsoft 365 accounts worldwide using password-spraying techniques.

• The botnet reportedly consists of over 130,000 compromised devices.
• It has been active since December 2024.
• The attack is attributed to a Chinese-affiliated group, possibly linked to Volt Typhoon or Salt Typhoon.
• Command-and-control servers are hosted in the US, with traffic routed through Hong Kong and China.

What Are the Risks?

This botnet attack has severe implications for business operations:

• Account Takeovers: Gaining unauthorized access to Microsoft 365 accounts.
• Operational Disruptions: Potential downtime and interruptions to business activities.
• Internal Phishing Campaigns: Compromised accounts can be exploited to conduct phishing within the organization.
• Bypassing MFA: The attackers exploit non-interactive sign-ins and Basic Authentication, which often do not enforce MFA.
• Reduced Visibility: Security teams struggle to detect and respond to these stealthy attacks.
  How Does the Attack Work?

The attackers employ Basic Authentication to conduct password spraying, targeting widely used or compromised passwords across numerous accounts.

1. Password Guessing: Attempting common or known passwords to gain access.
2. MFA Bypass: Exploiting Basic Authentication to avoid MFA prompts.
3. CAP Evasion: Circumventing Conditional Access Policies (CAP) by exploiting plain-text credential transmission.
4. Covert Access: Utilizing compromised accounts for phishing or accessing legacy services without MFA.

How to Protect Your Organization

Implement the following strategies to reduce the risk of compromise:

1. Disable Basic Authentication:
   • Transition to modern authentication methods that fully support MFA.
2. Enforce Conditional Access Policies (CAP):
   • Configure policies to consider user location, device compliance, and risk levels.
   • Automatically block suspicious login attempts.
3. Implement MFA Everywhere:
   • Enforce MFA for all users, even for non-interactive sign-ins.
4. Deploy Sign-In Risk Policies:
   • Automatically respond to risky sign-ins with alerts or blocked access.
5. Strengthen Password Policies:
   • Require strong, unique passwords and enforce regular changes.
   • Educate users on using password managers to maintain security.Rising Threats Targeting Microsoft Office 365 Users