Massive Botnet Conducts Password-Spray Attacks on Microsoft 365 Accounts

By /

Listen to this Post

A massive botnet of over 130,000 compromised devices is conducting password-spray attacks against Microsoft 365 (M365) accounts worldwide, targeting basic authentication to evade multi-factor authentication.

Learn more: https://lnkd.in/eMmUqgub

Report sans the paywall: https://securityscorecard.com/wp-content/uploads/2025/02/MassiveBotnet-Report_022125_03.pdf

Active C2s:

  • 205.172.59.16
  • 205.172.59.17
  • 156.146.56.19
  • 156.146.56.20
  • 156.146.56.21
  • 156.146.56.22
  • 156.146.56.23
  • 79.127.216.177
  • 79.127.216.178
  • 95.173.206.186

Active C2s listed in the SecurityScorecard report:

  • 70.39.115.74
  • 70.39.120.10
  • 204.188.218.178
  • 204.188.218.179
  • 204.188.210.226
  • 204.188.210.227

Password Spraying JA4+ Fingerprints:

  • JA4=t13i130900_f57a46bbacb6_e7c285222651
  • JA4H=ge11nn080000_c3cec6b3c214

Detection and Prevention Commands:

1. Block C2 IPs using iptables:

sudo iptables -A INPUT -s 205.172.59.16 -j DROP
sudo iptables -A INPUT -s 205.172.59.17 -j DROP
sudo iptables -A INPUT -s 156.146.56.19 -j DROP
sudo iptables -A INPUT -s 156.146.56.20 -j DROP
sudo iptables -A INPUT -s 156.146.56.21 -j DROP
sudo iptables -A INPUT -s 156.146.56.22 -j DROP
sudo iptables -A INPUT -s 156.146.56.23 -j DROP
sudo iptables -A INPUT -s 79.127.216.177 -j DROP
sudo iptables -A INPUT -s 79.127.216.178 -j DROP
sudo iptables -A INPUT -s 95.173.206.186 -j DROP

2. Enable Modern Authentication in Microsoft 365:

Set-MsolDomainAuthentication -DomainName yourdomain.com -Authentication Managed

3. Monitor for JA4+ Fingerprints using Wireshark:

tshark -r capture.pcap -Y "tls.handshake.ja4 == t13i130900_f57a46bbacb6_e7c285222651"

4. Implement Conditional Access Policies:

New-AzureADMSConditionalAccessPolicy -DisplayName "Block Basic Auth" -State "Enabled" -Conditions @{Applications = @{IncludeApplications = "All"}; Users = @{IncludeUsers = "All"}; Locations = @{IncludeLocations = "All"}} -GrantControls @{Operator = "OR"; BuiltInControls = @("Block")}

What Undercode Say:

The recent surge in password-spray attacks targeting Microsoft 365 accounts underscores the critical importance of robust authentication mechanisms. Basic authentication, which relies solely on username and password, is inherently vulnerable to such attacks. The botnet’s ability to evade multi-factor authentication (MFA) by exploiting basic authentication highlights the need for organizations to transition to modern authentication methods.

Modern authentication, which incorporates OAuth 2.0 and OpenID Connect, provides a more secure framework by enabling MFA and conditional access policies. These policies can be configured to block access from suspicious IP addresses, enforce MFA for high-risk sign-ins, and restrict access based on user location and device compliance.

In addition to enabling modern authentication, organizations should regularly monitor and block known Command and Control (C2) servers associated with botnets. Using tools like iptables on Linux or Windows Firewall on Windows systems, administrators can create rules to drop traffic from these malicious IPs. Furthermore, network traffic should be continuously monitored for JA4+ fingerprints, which can help identify and mitigate password-spray attacks in real-time.

For Microsoft 365 administrators, implementing conditional access policies is crucial. These policies can be configured to block basic authentication entirely, ensuring that only modern authentication methods are used. PowerShell commands, such as `Set-MsolDomainAuthentication` and New-AzureADMSConditionalAccessPolicy, can be used to enforce these settings across the organization.

In conclusion, the rise of botnet-driven password-spray attacks serves as a stark reminder of the evolving threat landscape. Organizations must prioritize the adoption of modern authentication methods, implement robust monitoring and blocking mechanisms, and enforce strict conditional access policies to safeguard their Microsoft 365 environments. By doing so, they can significantly reduce the risk of compromise and protect sensitive data from unauthorized access.

Learn more about securing Microsoft 365: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/secure-email-recommended-policies?view=o365-worldwide

References:

Hackers Feeds, Undercode AIFeatured Image

Related Posts: