A botnet of more than 130,000 compromised devices has been conducting largescale password spraying attacks against Microsoft 365 accounts, exploiting non-interactive sign-ins with Microsoft's basic authentication, resulting in account takeovers, business disruption, and lateral movement.
This technique bypasses modern login protections and evades multi-factor authentication (MFA) enforcement, creating a critical blind spot for security teams, SecurityScorecard reported in a Feb. 24.
Here’s how it works: Attackers leverage stolen credentials from infostealer logs to systematically target accounts at scale. These attacks are recorded in non-interactive sign-in logs, which don’t generate the same alerts and are often overlooked by security teams. Attackers then exploit this gap to conduct high-volume password spraying attempts undetected.
The researchers said the tactic was observed across multiple Microsoft 365 tenants globally, indicating a widespread and ongoing threat. SecurityScorecard recommended that any team operating a Microsoft 365 tenant to immediately verify whether they are affected, and if so, rotate credentials belonging to any organization accounts in the logs
Darren Guccione, co-founder and CEO at Keeper Security, said this botnet campaign exposed a critical weakness in authentication security: attackers are bypassing MFA and conditional access policies by exploiting non-interactive sign-ins, which rely on stored credentials rather than user-driven authentication.
“Unlike traditional password spraying, this technique avoids triggering security alerts, allowing adversaries to operate undetected, even in well-secured environments,” said Guccione. “For organizations heavily reliant on Microsoft 365, this attack is a wake-up call. Robust cybersecurity isn’t just about having MFA — it’s about securing every authentication pathway. With Microsoft phasing out basic authentication in 2025, organizations must act now to close these gaps before attackers scale their operations even further.”
Jason Soroko, senior fellow at Sectigo, explained that non-interactive logins are widespread in Microsoft 365, driven by service accounts, automated tasks, and API integrations. He said they often represent a significant portion of overall authentication events, as background processes routinely access resources without direct user input.
“MFA has been designed for interactive user authentication and isn’t typically applicable to non-interactive logins,” Soroko pointed out. “Instead, these automated logins should use alternative secure mechanisms such as certificates, or other forms of non-shared managed identities. Organizations should better secure non-interactive access with conditional access policies, strict credential management, and continuous monitoring.”
Soroko added that security teams can make Microsoft 365 restrict non-interactive logins through configuration. Administrators can enforce stronger authentication via conditional access policies and block legacy protocols that facilitate these silent sign-ins. However, Soroko said team must apply such restrictions thoughtfully to avoid disrupting legitimate automated processes.
Boris Cipot, senior security engineer at Black Duck, said the latest botnet attack tactics are a significant evolutionary step forward compared to previously used password spraying tactics. Cipot said password spraying attacks involve using commonly used passwords, such as “password123” or “nimda” for example, on several accounts.
Cipot said the passwords are usually collected from credential dumps which attackers access from the dark web. To avoid brute-force protections, Cipot said attackers limit the password testing on user accounts to avoid lockout policies. In the past, this meant attacks lasted for a long period of time using automation tools.
“To avoid other monitoring systems, attacks are committed during working hours,” said Cipot. “However, new attack tactics deploy non-interactive sign-ins, which are not as prone to typical security alerts like failed login. Non-interactive sign-ins include logins over API or automated services, for example. Therefore, this new botnet leverages gaps that organizations have in their authentication monitoring.”
