Full Report
A massive botnet of over 130,000 compromised devices is conducting password-spray attacks against Microsoft 365 (M365) accounts worldwide, attempting to confirm credentials. [...]
Analysis Summary
# Tool/Technique: Botnet Targeting Microsoft 365 Basic Auth
## Overview
A botnet is being utilized to conduct widespread password spray attacks against Microsoft 365 environments, specifically targeting accounts still configured to use Basic Authentication (Basic Auth). The goal is to leverage a high volume of attempts with common or leaked credentials to gain unauthorized access without triggering Multi-Factor Authentication (MFA).
## Technical Details
- Type: Malware Family / Attack Tool (Botnet infrastructure)
- Platform: Microsoft 365 services (Leveraging modern authentication protocols that still permit Basic Auth fallback)
- Capabilities: Large-scale password spraying, credential verification against M365 endpoints (especially those not enforcing MFA/CAPs), evasion of detection through distributed IP origination.
- First Seen: Active since at least December 2024 (based on C2 server uptime reports).
## MITRE ATT&CK Mapping
- [T1110 - Brute Force]
- [T1110.003 - Password Guessing]
- [T1078 - Valid Accounts]
- [T1078.004 - Cloud Accounts]
- [TA0001 - Initial Access]
## Functionality
### Core Capabilities
* **Password Spraying:** Using a large botnet (over 130,000 compromised devices) to spread login attempts across numerous accounts using common or leaked passwords.
* **Basic Auth Exploitation:** Targeting the Basic Authentication pathway, which often bypasses modern security controls like MFA and Conditional Access Policies (CAPs).
* **Credential Verification:** Successfully verified credentials allow access to legacy services that do not enforce MFA or can be used for subsequent phishing/more sophisticated attacks to gain full account access.
### Advanced Features
* **Infrastructure Evasion:** Utilizing over 130,000 endpoints to distribute login attempts across many different IP addresses, obscuring the concentrated malicious activity.
* **C2 Architecture:** Command and Control infrastructure is managed using **Apache Zookeeper** and **Kafka** for coordination/scalability.
* **Network Proxies:** Traffic is proxied through Hong Kong-based UCLOUD HK and China-linked CDS Global Cloud, originating from C2 servers hosted by U.S. provider Shark Tech.
## Indicators of Compromise
- File Hashes: N/A (This is a network-based attack utilizing existing compromised bots, not the delivery of a single piece of malware detailed here).
- File Names: N/A
- Registry Keys: N/A
- Network Indicators:
- User Agent: `fasthttp` (Associated with the FastHTTP Go library, previously reported in similar attacks).
- C2 Ports: Specific ports used by the C2 for botnet control were listed in the source report (refer to the original SecurityScorecard report for specific port numbers).
- Behavioral Indicators:
- Increased non-interactive login attempts in Entra ID logs.
- Multiple failed login attempts originating from geographically diverse IPs targeting the same M365 tenant.
## Associated Threat Actors
* Likely Chinese-affiliated (based on SecurityScorecard reporting, although attribution is not confident).
## Detection Methods
- Signature-based detection: Detecting the ubiquitous `fasthttp` user agent in authentication logs.
- Behavioral detection: Monitoring for spikes in failed non-interactive logins followed by successful login events from an unusual number of distinct source IPs.
- YARA rules: N/A (Focus is on network behavior and authentication logs, not static file analysis).
## Mitigation Strategies
- **Disable Basic Auth:** Immediately disable Basic Authentication for all Microsoft 365 services where it is still enabled.
- **Implement MFA:** Enforce Multi-Factor Authentication on all remaining user and administrative accounts.
- **Conditional Access Policies (CAPs):** Configure CAPs to restrict login attempts, block anomalous sign-ins, and enforce geo-fencing or device compliance if necessary.
- **Network Blocking:** Block the known IP addresses identified in the original security report that serve as the botnet C2 infrastructure.
## Related Tools/Techniques
* FastHTTP Go library: Mentioned as being used by threat actors conducting similar high-speed M365 password attacks in January.