SecurityScorecard researchers discovered a large botnet engaging in a coordinated attack against Microsoft 365 accounts. The botnet, consisting of more than 130,000 compromised devices, is deploying password spraying attacks.
While conventional password spraying attacks trigger security alerts, this campaign is designed to evade detection. Leveraging non-interactive sign-ins, malicious actors circumvent traditional traditional alert measures and make detection a challenge.
Below, cyber experts share their insights on the campaign and possible risk mitigation strategies.
Security leaders weigh in
Boris Cipot, Senior Security Engineer at Black Duck:
The latest botnet attack tactics are a significant evolutionary step forward compared to previously used password spraying tactics. Password spraying attacks involve using commonly used passwords, such as “password123” or “nimda” for example, on several accounts. The passwords are usually collected from credential dumps which attackers access from the dark web. To avoid brute-force protections, attackers limit the password testing on user accounts to avoid lockout policies. In the past, this meant attacks lasted for a long period of time using automation tools. To avoid other monitoring systems, attacks are committed during working hours. However, new attack tactics deploy non-interactive sign-ins which are not as prone to typical security alerts like failed login. Non-interactive sign ins include logins over API or automated services, for example. Therefore, this new botnet leverages gaps that organizations have in their authentication monitoring.
To lower the risk of such attacks, organizations need to deploy access policies based on geo location and device compliance. Additionally, all failed login attempts need to be monitored and acted on. To make login more secure, multi-factor authentication (MFA) or certificate-based authentication provides an additional level of security. When talking about monitoring, it is also important to have intelligence involved. Systems that offer AI can deploy behavioral analysis and identify stealth attacks. However, tracking the IP and deploying rate-limiting can help to lower the success rate of such attacks.
Darren Guccione, CEO and Co-Founder at Keeper Security:
This botnet campaign exposes a critical weakness in authentication security — attackers are bypassing multi-factor authentication (MFA) and conditional access policies by exploiting non-interactive sign-ins, which rely on stored credentials rather than user-driven authentication. Unlike traditional password spraying, this technique avoids triggering security alerts, allowing adversaries to operate undetected, even in well-secured environments.
For organizations heavily reliant on Microsoft 365, this attack is a wake-up call. Robust cybersecurity isn’t just about having MFA — it’s about securing every authentication pathway. A password manager enforces strong, unique credentials while minimizing exposure to credential-based attacks. For non-interactive authentication, privileged access management (PAM) is essential, ensuring least-privilege access, regular credential rotation and real-time monitoring of service accounts. Security leaders must take a proactive stance by reviewing access logs, limiting unnecessary non-interactive sign-ins and refining authentication policies. With Microsoft phasing out basic authentication (BA) in 2025, organizations must act now to close these gaps before attackers scale their operations even further.
Jason Soroko, Senior Fellow at Sectigo:
Non-interactive logins are widespread in Microsoft 365, driven by service accounts, automated tasks, and API integrations. They often represent a significant portion of overall authentication events, as background processes routinely access resources without direct user input.
Multi-factor authentication (MFA) is designed for interactive user authentication and isn’t typically applicable to non-interactive logins. Instead, these automated logins should use alternative secure mechanisms such as certificates, or other forms of non-shared managed identities. Organizations should better secure non-interactive access with conditional access policies, strict credential management and continuous monitoring.
Microsoft 365 can restrict non interactive logins through configuration. Administrators can enforce stronger authentication via conditional access policies and block legacy protocols that facilitate these silent sign-ins. However, such restrictions must be applied thoughtfully to avoid disrupting legitimate automated processes.