A botnet controlled by a threat actor believed to be linked to China has been observed targeting Microsoft 365 accounts using large-scale password spraying attacks, according to a report released by cybersecurity firm SecurityScorecard.
The botnet, powered by over 130,000 compromised devices, has been actively executing attacks aimed at Microsoft 365 accounts. The attacks rely on non-interactive sign-ins using Basic Authentication, which has long been used for service-to-service authentication, legacy email protocols such as POP, IMAP, and SMTP, as well as automated processes. The issue with Basic Authentication is that it does not trigger Multi-Factor Authentication (MFA) in many configurations, allowing attackers to attempt password spraying without raising immediate alarms.
SecurityScorecard's investigation uncovered multiple command-and-control servers located in the United States, with a four-hour monitoring session revealing more than 130,000 devices actively communicating with these servers. The botnet uses credentials harvested by information-stealer malware to test against Microsoft 365 accounts in a brute-force manner.
Once the attackers successfully gain access to an account, they can steal sensitive data, disrupt business operations, and move laterally within the targeted organization’s network, potentially escalating the damage caused. While SecurityScorecard has not conclusively confirmed the identity of the group behind the attacks, the firm believes that the botnet is likely being operated by a Chinese threat actor.
French security firm Sekoia spotted a new botnet named PolarEdge that has infected over 2,000 devices, including Cisco Small Business Routers , ASUS, QNAP, and Synology devices, across the globe over the past two years. The botnet has been active since at least the end of 2023, targeting edge devices such as routers and NAS devices.