{"id":20915,"date":"2025-04-24T09:20:19","date_gmt":"2025-04-24T02:20:19","guid":{"rendered":"https:\/\/fpt-is.com\/en\/?post_type=goc_nhin_so&#038;p=20915"},"modified":"2025-05-12T10:20:10","modified_gmt":"2025-05-12T03:20:10","slug":"microsoft-365-under-siege-botnet-leverages-infostealer-logs-in-password-spraying-campaign","status":"publish","type":"goc_nhin_so","link":"https:\/\/fpt-is.com\/en\/insights\/microsoft-365-under-siege-botnet-leverages-infostealer-logs-in-password-spraying-campaign\/","title":{"rendered":"Microsoft 365 Under Siege: Botnet Leverages Infostealer Logs in Password Spraying Campaign"},"content":{"rendered":"<h1><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Microsoft-365-FPT-IS-1-2-1743474203.jpeg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-20918\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Microsoft-365-FPT-IS-1-2-1743474203.jpeg\" alt=\"Microsoft 365 Fpt Is 1 2 1743474203\" width=\"832\" height=\"448\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Microsoft-365-FPT-IS-1-2-1743474203.jpeg 832w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Microsoft-365-FPT-IS-1-2-1743474203-700x377.jpeg 700w\" sizes=\"(max-width: 832px) 100vw, 832px\" \/><\/a><\/h1>\n<h1 id=\"heading-overview\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 18pt\"><strong>Overview<\/strong><\/span><\/h1>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">SecurityScorecard has detected an ongoing attack campaign using a massive botnet of over 130,000 compromised devices to target Microsoft 365 (M365) accounts through large-scale password spraying attacks. The unique aspect of this campaign is the exploitation of non-interactive logins using Basic Authentication, which allows bypassing modern login protections and avoiding the enforcement of multi-factor authentication (MFA). This threat actor is leveraging stolen credentials from infostealer logs, enabling the system to target accounts on a large scale. These attacks are recorded in Non-Interactive Sign-In logs, which are often overlooked by security teams.<\/span><\/p>\n<h2 id=\"heading-key-points\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 14pt\"><strong>Key Points<\/strong><\/span><\/h2>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Threat actor:<\/strong>\u00a0Suspected to be linked to China.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Target:<\/strong>\u00a0Microsoft 365 accounts.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Technique:<\/strong>\u00a0<strong>Password Spraying<\/strong>, abusing basic authentication, exploiting non-interactive logins, using stolen credentials from infostealer logs, and evading via proxy.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Infrastructure:<\/strong>\u00a06 Command &amp; Control (C2) servers located in the\u00a0<strong>US<\/strong>, using proxies at\u00a0<strong>UCLOUD HK<\/strong>\u00a0and\u00a0<strong>CDS Global Cloud<\/strong>.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Impact:<\/strong>\u00a0Account takeover, business disruption, lateral movement, MFA evasion, and bypassing Conditional Access Policies (CAP).<\/span><\/li>\n<\/ul>\n<h1 id=\"heading-technical-analysis\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 18pt\"><strong>Technical Analysis<\/strong><\/span><\/h1>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Password Spraying and Non-Interactive Logins:<\/strong>\u00a0This campaign exploits a vulnerability in how Microsoft 365 handles non-interactive logins. These logins, often used for legacy protocols like POP, IMAP, SMTP, and automated processes, do not trigger MFA in many configurations. Basic Authentication, although being phased out, is still enabled in some environments, allowing credentials to be transmitted in plain text or base64 encoded, making it a prime target for threat actors.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Indicators of Compromise &#8211; IoCs:<\/strong><\/span><span style=\"font-family: arial, helvetica, sans-serif\" data-rmiz=\"\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Microsoft-365-FPT-IS-2-1743474243.jpeg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-20919\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Microsoft-365-FPT-IS-2-1743474243.jpeg\" alt=\"Microsoft 365 Fpt Is 2 1743474243\" width=\"1139\" height=\"418\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Microsoft-365-FPT-IS-2-1743474243.jpeg 1139w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Microsoft-365-FPT-IS-2-1743474243-700x257.jpeg 700w\" sizes=\"(max-width: 1139px) 100vw, 1139px\" \/><\/a><\/span>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Unusual non-interactive login attempts in the\u00a0<strong>Entra ID<\/strong>\u00a0Non-Interactive Sign-In logs.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Multiple failed login attempts for an account from various IP addresses.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">User-Agent strings associated with automation tools (e.g., &#8220;fasthttp&#8221;).<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Communication to any IP addresses identified as C2:<\/span>\n<div>\n<div>\n<pre><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Microsoft-365-FPT-IS-3-1743474140.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-20916\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Microsoft-365-FPT-IS-3-1743474140.png\" alt=\"Microsoft 365 Fpt Is 3 1743474140\" width=\"944\" height=\"180\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Microsoft-365-FPT-IS-3-1743474140.png 944w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Microsoft-365-FPT-IS-3-1743474140-700x133.png 700w\" sizes=\"(max-width: 944px) 100vw, 944px\" \/><\/a>\r\n<a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Microsoft-365-FPT-IS-4-1743474144.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-20917\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Microsoft-365-FPT-IS-4-1743474144.png\" alt=\"Microsoft 365 Fpt Is 4 1743474144\" width=\"1324\" height=\"436\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Microsoft-365-FPT-IS-4-1743474144.png 1324w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Microsoft-365-FPT-IS-4-1743474144-700x231.png 700w\" sizes=\"(max-width: 1324px) 100vw, 1324px\" \/><\/a><\/pre>\n<\/div>\n<\/div>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h1 id=\"heading-infrastructure-analysis\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 18pt\"><strong>Infrastructure Analysis<\/strong><\/span><\/h1>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>C2 Structure:<\/strong>\u00a0The C2 servers run Apache Zookeeper and Kafka, indicating a distributed and complex structure. Zookeeper is used to manage and coordinate the botnet network, while Kafka handles data streams. The server&#8217;s time zone is set to &#8220;Asia\/Shanghai,&#8221; suggesting the campaign&#8217;s origin.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Additional Information About Servers Hosting in the US:<\/strong><\/span>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Servers hosting in the US have an &#8220;F&#8221; rating on the SecurityScorecard TPRM platform, which is strongly correlated with the risk of breaches.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">There are at least 11 IP addresses on most public IP blocklists.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">246 IPs run SMTP on non-standard ports.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">274 potentially unwanted applications\/trackers are being hosted.<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Common C2 Ports:<\/strong><\/span><\/li>\n<\/ul>\n<div class=\"hn-table\">\n<table>\n<thead>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Ports<\/strong><\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Service<\/strong><\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Use as Needed<\/strong><\/span><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">1002<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Not assigned<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Not clear<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">2181<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Zookeeper<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Managing distributed botnet structure with Kafka<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">3306<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">MySQL<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Storing stolen data or botnet configuration<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">6379<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Redis<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Key-value store for botnet tasks<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">7779<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Not clear<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Not clear<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">8081<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Web Jetty service<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Zookeeper query service<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">10050<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Zabbix Agent<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Potential botnet monitoring<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">33060<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">MySQL X Protocol<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Use with MySQL service<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">12341<\/span><\/td>\n<td><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">C2 botnet channel (Client registration)<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">12342<\/span><\/td>\n<td><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Can be used to assign tasks to infected machines<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">12347<\/span><\/td>\n<td><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Exfiltrate data or C2 backup<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">12348<\/span><\/td>\n<td><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Execute main C2 command<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<h1 id=\"heading-link-to-infostealer-logs\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 18pt\"><strong>Link to Infostealer Logs<\/strong><\/span><\/h1>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Analyzing the correlation between users identified in non-interactive logs and compromised credentials shows matching results for affected users. This confirms that the threat actor is using stolen credentials from infostealer logs.<\/span><\/p>\n<h1 id=\"heading-recommendations\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 18pt\"><strong>Recommendations<\/strong><\/span><\/h1>\n<ol>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Disable Basic Authentication:<\/strong>\u00a0Completely disable basic authentication to prevent this type of attack.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Use Multi-Factor Authentication (MFA):<\/strong>\u00a0Require MFA for all accounts.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Enforce Conditional Access Policy (CAP):<\/strong>\u00a0Use CAP to restrict access based on factors like location, device, and login risk.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Monitor Logs:<\/strong>\u00a0Continuously monitor login logs, especially non-interactive login logs, to detect suspicious activities.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Monitor Leaked Credentials:<\/strong>\u00a0Watch underground forums for leaked credentials and proactively reset compromised accounts.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Block IP Addresses:<\/strong>\u00a0Block IP addresses associated with botnet networks.<\/span><\/li>\n<\/ol>\n<h1 id=\"heading-conclusion\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 18pt\"><strong>Conclusion<\/strong><\/span><\/h1>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">This botnet campaign highlights the importance of stopping the use of basic authentication, actively monitoring login patterns, and implementing strong detection mechanisms for password spraying attempts. The threat actor&#8217;s use of Non-Interactive Login logs to evade MFA and possibly Conditional Access Policies emphasizes the need for organizations to reassess their authentication strategies. Additionally, organizations should monitor leaked credentials on underground forums and take swift action to reset compromised accounts.<\/span><\/p>\n<h1 id=\"heading-references\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 18pt\"><strong>References<\/strong><\/span><\/h1>\n<ol>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/botnet-targets-basic-auth-in-microsoft-365-password-spray-attacks\/\" target=\"_blank\" rel=\"noopener nofollow\">Botnet targets Basic Auth in Microsoft 365 password spray attacks<\/a><\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/securityscorecard.com\/research\/massive-botnet-targets-m365-with-stealthy-password-spraying-attacks\/\" target=\"_blank\" rel=\"noopener nofollow\">Massive Botnet Targets M365 with Stealthy Password Spraying Attacks<\/a><\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/cybernews.com\/security\/botnet-targeting-microsoft-365-password-spraying\/?form=MG0AV3\" target=\"_blank\" rel=\"noopener nofollow\">Microsoft 365 at risk: massive botnet targeting users in password spraying attacks<\/a><\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/www.forbes.com\/sites\/daveywinder\/2025\/02\/25\/microsoft-password-spray-and-pray-attack-targets-accounts-without-2fa\/\" target=\"_blank\" rel=\"noopener nofollow\">Microsoft Password Spray And Pray Attack Targets Accounts Without 2FA<\/a><\/span><\/li>\n<\/ol>\n<table style=\"border-collapse: collapse;width: 100%\">\n<tbody>\n<tr>\n<td style=\"width: 100%\"><strong>Exclusive article by FPT IS Technology Experts<\/strong><\/p>\n<p><em>Dinh Van Manh \u2013 FPT IS Cyber Security Center<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"author":21,"featured_media":21438,"parent":0,"template":"","nang_luc":[790,821],"danh_muc_goc_nhin_so":[789],"dich_vu":[712],"linh_vuc":[],"platform":[],"san_pham":[],"the_goc_nhin_so":[],"class_list":["post-20915","goc_nhin_so","type-goc_nhin_so","status-publish","has-post-thumbnail","hentry","nang_luc-experts-sharing","nang_luc-security","danh_muc_goc_nhin_so-expert-sharing","dich_vu-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so\/20915","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so"}],"about":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/types\/goc_nhin_so"}],"author":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/users\/21"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media\/21438"}],"wp:attachment":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media?parent=20915"}],"wp:term":[{"taxonomy":"nang_luc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/nang_luc?post=20915"},{"taxonomy":"danh_muc_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/danh_muc_goc_nhin_so?post=20915"},{"taxonomy":"dich_vu","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/dich_vu?post=20915"},{"taxonomy":"linh_vuc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/linh_vuc?post=20915"},{"taxonomy":"platform","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/platform?post=20915"},{"taxonomy":"san_pham","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/san_pham?post=20915"},{"taxonomy":"the_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/the_goc_nhin_so?post=20915"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}