A massive botnet of over 130,000 compromised devices is conducting a large-scale password-spraying attack against Microsoft 365 accounts—without triggering the usual security alerts. The attack exploits non-interactive sign-ins, an authentication method that often goes unnoticed by security teams.
Unlike traditional password-spraying attacks that lead to account lockouts and investigations, this method operates under the radar. Non-interactive sign-ins occur when a system or application logs in on behalf of a user, without requiring manual authentication input. These are commonly used for service accounts, automated workflows, and API integrations.
Since security teams typically monitor interactive logins rather than non-interactive ones, attackers are able to launch large-scale password-spraying attempts without setting off alarms. This gives them more time to infiltrate systems, gain unauthorised access, and potentially move laterally within an organisation.
Security researchers have observed this attack pattern across multiple Microsoft 365 environments worldwide. The botnet is systematically testing credentials on accounts using basic authentication, allowing it to bypass many traditional security measures.
Unlike conventional password-spraying tactics that cause account lockouts, non-interactive sign-in attacks allow bad actors to persist for longer periods, making them a serious security risk even for organisations with robust authentication controls.
Companies that focus only on monitoring interactive logins could be missing a critical vulnerability. This attack method increases the risk of:
Account takeovers
Business disruption
Lateral movement within the network
Bypassing multifactor authentication (MFA)
Exploiting conditional access policy (CAP) weaknesses
If your organisation uses Microsoft 365, it’s essential to take proactive steps to mitigate this threat. Immediate actions include:
Reviewing non-interactive sign-in logs for unusual activity
Rotating credentials for service accounts and any accounts appearing in these logs
Enforcing Privileged Access Management (PAM) to control and monitor service account access
Strengthening authentication monitoring across all sign-in types, not just interactive logins
Keeping up with threat intelligence updates to stay informed about evolving attack techniques
As attackers continue to evolve their methods, organisations must adapt their security strategies. Monitoring and securing all authentication pathways, including non-interactive sign-ins, is crucial to preventing unauthorised access and protecting critical systems.