The attacks are likely carried out by an advanced Chinese-affiliated group, with Strike researchers hinting at Volt Typhoon or Salt Typhoon.
A massive botnet of over 130 compromised devices, running since December 2024, is conducting large-scale password-spraying attacks against Microsoft 365 (formerly Office 365) users.
According to researchers at Strike, the attackers are exploiting non-interactive sign-ins with Basic Authentication, which enables logins without requiring multi-factor authentication (MFA).
This creates blind spots for security teams, allowing attackers to leverage stolen credentials from infostealer logs to simultaneously target multiple accounts with one password in password-spraying attacks.
The researchers note that the security gap poses risks of account takeover attacks, which could lead to hackers accessing sensitive data, disrupting business operations, and using compromised accounts for further exploitation.
Attacks point to sophisticated threat actor
Strike says it conducted an initial investigation when a number of failed sign-in attempts were noted in the non-interactive sign-in logs of a Microsoft 365 user. The issue was also described in multiple web posts.
When analyzing the netflow data from one of their partners, the researchers identified recurring IP addresses involved in communication with all attackers’ IP addresses.
One IP address (204.188.210.226) was hosted at SharkTech, where rampant malicious activities were observed.
For example, researchers say they noticed at least 11 IP addresses on many available IP blocklists, 246 IPs running Simple Mail Transfer Protocol on non-standard ports, and 274 potentially unwanted trackers.
Further investigation of ports led to two hosting providers (CDSC-AS1 and UCLOUD HK) affiliated with China.
Meanwhile, an analysis of servers found that they were running Apache Zookeeper, a distributed system coordination framework.
“The use of Zookeeper, an industry standard for distributed systems development, could indicate a sophisticated threat actor with strong software engineering knowledge, given the complexity of running a Zookeeper cluster at scale,” the researcher notes.
Strike hints that the attacks may be carried out by the Volt Typhoon or Salt Typhoon, hacker groups associated with the Chinese government.
“This botnet activity highlights the importance of deprecating basic authentication, proactively monitoring login patterns, and implementing strong detection mechanisms for password spraying attempts,” the researchers conclude, adding that organizations should reassess their authentication strategies and monitor for leaked credentials.
Your email address will not be published. Required fields are markedmarked