A group that security researchers believe to be affiliated with China is targeting legacy devices and outdated email protocols as a means of breaching Microsoft 365 accounts with password-spraying attacks, taking advantage of a common oversight in automated security logging to fly below the radar despite the massive scale of the operation.
The hackers are abusing the fact that things like older service-to-service devices and SMTP email make use of a “basic authentication” feature that does not require an active user to be involved. Activity of this nature only appears on “non-interactive sign-in logs” that are frequently overlooked by security teams. This lack of awareness is being exploited by a massive botnet that draws credentials from infostealers and other prior data dumps and can try them in password-spraying attacks essentially freely so long as no one checks the relevant logs and notices the activity. Microsoft has announced its intent to deprecate basic authentication, but will not fully do so for at least several more months.
Microsoft 365 accounts at risk, activity linked to Chinese state-backed hackers
Password-spraying attacks would normally be simple to shut down; the credentials being attempted would appear in security logs, and could then be rotated. The hackers are banking on security teams not noticing the attempts on these legacy accounts.
The other major component, and one of the key pieces of evidence that points to China, is the use of a botnet made up of some 130,000 devices. Common criminals would more likely be renting time on someone else’s botnet rather than controlling one of this magnitude.
The security researchers advise that the quickest way to identify these password-spraying attacks is to check Entra ID logs for particular forms of suspicious activity, such as a spike in non-interactive login attempts. An unexpected appearance of the “fasthttp” user agent may also be a tell.
Chinese hackers are suspected not just due to the botnet, but the fact that US-based servers were used but the “Asia/Shanghai” time zone was set. The hackers are also using two proxy services previously associated with attacks by China’s APT groups. Attacks traced back to the botnet have been directed at Microsoft 365 accounts across the world since at least December 2024.
Password-spraying attacks could persist until September
This is far from the first time that China’s state-backed hackers have targeted Microsoft 365 accounts, but it is still not clear exactly which group (or groups) are behind this particular campaign. The last time a major Chinese botnet was taken down it was in September 2024, and it was primarily maintained and operated by the “Flax Typhoon” group. The password-spraying attacks could be the work of any one of about two dozen groups now believed to be active and state-supported.
Making sure to check an esoteric type of log might seem like a small price to pay to protect Microsoft 365 accounts, but it can add a substantial strain to already overloaded IT teams. The issue will become moot in September of this year, at least if Microsoft keeps to its expected schedule, but organizations may be taken utterly by surprise by this until then. Auditing the passwords of service accounts for simple and vulnerable credentials or those spotted in other breaches is likely a worthwhile use of time, at least until Microsoft finally puts an end to basic authentication.
