A new cyberattack campaign is putting thousands of Microsoft 365 users at risk by targeting accounts that lack two-factor authentication (2FA). Hackers are using a method called “password spray and pray,” where they try common passwords across many accounts, hoping for a match.
Security researchers have discovered that a botnet of at least 130,000 infected devices is being used in this attack. The group behind it is believed to be linked to a Chinese-affiliated organization. These cybercriminals are taking advantage of a loophole in Microsoft’s security—Basic Authentication. This older login method is outdated, yet some organizations still use it, making them easy targets.
Unlike modern authentication systems, Basic Authentication doesn’t require extra security checks, like a second password or a verification code sent to your phone. This means hackers can try logging into multiple accounts without triggering security alerts. The attack is widespread, affecting multiple Microsoft 365 users worldwide.
How Hackers Are Avoiding Detection
One of the biggest concerns about this attack is how well it evades security monitoring. The hackers are using non-interactive sign-ins, a method commonly used for automated logins between services. Because these logins don’t require human interaction, they often bypass 2FA protections.
In many organizations, security teams focus on tracking interactive logins—those where a person physically enters a username and password. But non-interactive logins often don’t receive the same level of attention. This creates a blind spot that hackers are now exploiting.
Additionally, the passwords being used in these attacks often come from massive stolen credential databases available on the Dark Web. Hackers collect leaked usernames and passwords from previous data breaches and try them on Microsoft 365 accounts. To avoid being blocked, they carefully limit the number of login attempts, so they don’t trigger lockout policies.
While Microsoft is phasing out Basic Authentication, it will still be partially active until September 2025. This means that many organizations remain vulnerable to these attacks. Security experts warn that despite Microsoft’s ongoing efforts to retire this outdated system, the threat is immediate and serious.
What Companies Must Do to Protect Microsoft 365 Accounts
Security researchers are urging organizations to take immediate action to protect themselves from this attack. The first and most important step is to disable Basic Authentication. Microsoft has been pushing for its removal, but many companies still have it enabled, leaving them exposed.
Another crucial step is to monitor non-interactive sign-in logs. Since hackers are using this method to bypass security checks, companies must actively track these logs for any suspicious activity.
Experts also recommend using strong access policies based on location and device security. This means restricting logins from unknown locations or requiring extra security steps if a login attempt comes from an unfamiliar device.
Finally, enabling multi-factor authentication (MFA) or certificate-based authentication is one of the most effective ways to block these attacks. MFA requires users to verify their identity with a second factor, like a phone code or fingerprint scan. Even if hackers steal a password, they still won’t be able to access the account without this extra verification.
With hackers launching large-scale attacks against Microsoft 365 users, it’s critical for businesses to act now. By disabling outdated login methods and enforcing stronger security measures, organizations can prevent cybercriminals from gaining unauthorized access to their accounts.
