Foreign Hackers Attacking M365 Accounts

Foreign-Linked Hackers Target Microsoft 365 with Large-Scale Password Spraying Attacks

Cybersecurity experts have raised alarms about a massive password spraying attack targeting organizations across the West. According to a recent report from SecurityScorecard, businesses relying on Microsoft 365 for email, document storage, and collaboration are at particular risk.

Foreign-Linked Threat Actors Identified

SecurityScorecard researchers have uncovered evidence suggesting that "China-affiliated threat actors" are behind this attack. The campaign appears to be leveraging infrastructure tied to CDS Global Cloud and UCLOUD HK—cloud providers with operational ties to China. Additionally, the researchers identified command-and-control (C2) servers hosted by SharkTech, a U.S.-based provider known for hosting malicious activity in the past.

The Danger of Non-Interactive Sign-Ins

While password spraying is a well-known attack method, this campaign stands out due to its use of non-interactive sign-ins. This technique allows attackers to bypass traditional security controls and remain undetected.

“Typically, password spraying results in lockouts that alert security teams,” SecurityScorecard explained. “However, this campaign specifically targets Non-Interactive Sign-Ins, used for service-to-service authentication, which do not always generate security alerts. This enables attackers to operate without triggering MFA defenses or Conditional Access Policies (CAP), even in highly secured environments.”

Who is Being Targeted?

The primary targets of this attack are organizations in financial services and insurance. However, industries such as healthcare, government and defense, technology and SaaS, and education and research are also under threat. The attackers are attempting to bypass modern security measures, reinforcing suspicions that a nation-state entity is behind the attack.

How to Defend Against This Threat

Organizations must take proactive measures to mitigate the risks posed by these attacks. SecurityScorecard recommends:

• Reviewing non-interactive sign-in logs for unauthorized access attempts.

• Rotating credentials for any flagged accounts.

• Disabling legacy authentication protocols to reduce exposure.

• Monitoring for stolen credentials associated with your organization.

• Implementing conditional access policies to restrict login attempts from suspicious sources.

David Mound, Threat Intelligence Researcher at SecurityScorecard, emphasized, “Organizations cannot afford to assume that MFA alone is a sufficient defense. Understanding the nuances of non-interactive logins is crucial to closing these gaps.”

How Huntress MDR Can Help

For organizations looking to enhance their defense, Huntress Managed Detection and Response (MDR)/ITDR provides an added layer of security against these types of attacks. Here’s how Huntress MDR can protect businesses:

• Advanced Threat Detection: Huntress continuously monitors endpoint activity for signs of compromise, including unauthorized authentication attempts and lateral movement.

• Behavioral Analysis: The platform detects anomalies in non-interactive sign-ins and other suspicious login behaviors, helping identify potential breaches early.

• Incident Response & Remediation: If a compromise is detected, Huntress provides actionable remediation steps, including credential rotation and containment recommendations.

• Continuous Threat Intelligence: Huntress actively tracks emerging threats and attack patterns, ensuring that defenses stay ahead of evolving tactics used by adversaries.

• Ransomware & Persistence Detection: In case attackers attempt to gain persistent access, Huntress identifies hidden footholds within environments and helps remove them before they can be leveraged for further attacks.

As password spraying and non-interactive sign-in exploitation become more sophisticated, organizations must move beyond traditional security controls. With robust detection and response capabilities, Huntress MDR provides essential protection against these evolving cyber threats.

Final Thoughts

This latest campaign serves as a wake-up call for organizations that rely on Microsoft 365. Threat actors continue to exploit authentication gaps, making it imperative to deploy advanced detection and response solutions like Huntress MDR/ITDR. By taking proactive security measures, businesses can stay one step ahead of attackers and protect their critical assets from compromise.

If you have any further questions please reach out to Cyber@veroot.com!