Introduction
SecurityScorecard discovered that Microsoft 365 (M365) tenants globally are targeted with password spraying attack by a nation state threat actor. These attacks exploit non-interactive sign-ins with Basic Authentication. This enables threat actors to bypass modern login protections by evading Multi-Factor Authentication (MFA). The botnet, active since at least December 2024, was composed of over 130,000 devices working in the Asia/Shanghai timezone.
Attack Overview
According to SecurityScorecard, the botnet consists of over 130,000 compromised devices controlled by six command and control (C2) hosted on servers in United States. These botnets route their traffics through proxies hosted on China affiliated hosting servers, UCLOUD HK and CDS Global Cloud. The threat actor targets M365 accounts across multiple organizations. These attacks employ Tactics, Techniques & Procedures (TTP) such as Password spraying, non-interactive sign-ins, Basic authentication abuse, Use of stolen credentials and Proxy-based evasion. The botnet uses stolen credentials from infostealer logs to systematically attempt login to M365 accounts by using Non-Interactive sign-ins. This allows the threat actor to evade Multifactor Authentication (MFA) enforcement and bypass Conditional Access Policy (CAP). Due to these logins being logged as Non-Interactive Sign-In, it results in reduced security visibility. Commonly, Non-Interactive Sign-In are used for service-to-service authentication, legacy protocols (e.g., POP, IMAP, SMTP), and automated processes thus not triggering MFA in many configurations. Basic Authentication enabled in some environments, allows credentials to be transmitted in plain form, making it a prime target for threat actors.
Mapping the attack to MITRE ATT&CK framework
We can map the attacks to the following Tactics, Techniques, and Procedures (TTPs) in MITRE.
Attack Analysis
The threat actor performs password spraying through Non-Interactive Sign-In in order to gain access to M365 accounts. Events associated with spraying attacks through these botnets use “fasthttp” user agent string as detected by SpearTip Security Operations Center. Fasthttp is a high-performance HTTP server and client library for the Go programming language, designed to handle HTTP requests. All observed attempts have targeted the Azure Active Directory Graph API (Application ID: 00000002-0000-0000-c000-000000000000). Data analyzed from a large set of Microsft 365 tenants indicates that “fasthttp” was first observed as a user agent on January 6th, 2025. Further investigation led to the discovery of six Command and Control (C2) servers with these IP addresses:
- 70.39.115.74
- 70.39.120.10
- 204.188.218.178
- 204.188.218.179
- 204.188.210.226
- 204.188.210.227
Investigating the C2 servers reveals 10 open ports that are being used for various purposes. The list of ports used by the C2 servers are:
| Port | Service | Possible Use |
| 1002 | Unknown | Unknown |
| 2181 | Zookeeper | Kafka |
| 3306 | MySQL | Data storage or Botnet Configuration |
| 6379 | Redis | Key-value store |
| 7779 | Unknown | Unknown |
| 8081 | Jetty web service | Zookeeper query service |
| 10050 | Zabbix Agent | Potential botnet monitoring |
| 33060 | MySQL X Protocol | Likely used with MySQL service |
| 12341 | Botnet C2 channel (Client Registration) | |
| 12342 | Possibly used for tasking infected hosts | |
| 12347 | Possible data exfil or backup C2 | |
| 12348 | High probability of main C2 command execution |
These servers run Apache Zookeeper, a distributed system coordination framework, suggesting the likely use of a distributed campaign infrastructure. Notably, the presence of Zookeeper—an industry-standard for distributed systems—may indicate a sophisticated threat actor with advanced software engineering expertise, considering the challenges of maintaining a Zookeeper cluster at scale. Port 8081 remains unrestricted, allowing server queries that revealed additional details including uptime information. Further analysis of the Zookeeper nodes indicates they also operate Apache Kafka.
Remediation
For remediation, implementing a robust monitoring strategy across all M365 environments. This includes monitoring Non-interactive Sign-In access logs for the presence of unknown or suspicious user agents that may indicate malicious activity. M365 environment administrator should enforce an immediate password reset for all compromised accounts and invalidate active sessions to prevent further unauthorized access.
In addition, the deployment of automated alerts and remediation workflows is essential for reducing response times and minimizing the overall impact of an attack. By integrating automated detection systems with remediation protocols, organizations can ensure that security teams are alerted in real time, enabling them to take swift, targeted actions. This not only improves operational efficiency but also ensures that security breaches are mitigated with minimal delay. It is imperative that these processes be continuously reviewed and updated to address evolving threat tactics and maintain a high level of protection for M365 environments.
Implementation of an automated response and alert system can be done through InsiderSecurity’s CSX.
CSX dashboard highlights multiple failed login attempts from different IP addresses into the same user account, helping security teams quickly identify potential brute-force or credential-stuffing attacks.
Staying ahead of cyber threats
Looking for ways to stay ahead of any cyber threats? InsiderSecurity provides advanced cybersecurity behavior analytics products that help your company to uncover cyber threats before there is any serious data loss. We offer a range of solutions, including Automated UEBA for securing on-premise and cloud IT infrastructure, as well as the CSX for ensuring cloud data security.
CSX is designed to detect sophisticated attacks described in this article making it an essential subscription for any organization serious about its cybersecurity posture. Beyond detecting threats, CSX offers recommendations and a user-friendly avenue for executing remedial actions and implementing mitigation strategies.
CSX provides an easy way to perform mitigation and remediation.
