Microsoft Utilizes Password Guessing Technique to Breach Accounts Lacking Two-Factor Authentication

Microsoft Utilizes Password Guessing Technique to Breach Accounts Lacking Two-Factor Authentication

In the digital realm of cybersecurity, two indisputable facts hold sway: Microsoft is a beacon for hackers' attacks, and two-factor authentication (2FA) serves as an obstacle these cybercriminals detest. A recently unveiled password spray and pray assault campaign capitalizes on this duo, zeroing in on Microsoft 365 accounts still employing outdated basic authentication protections. Here's the lowdown and actions your organization should undertake to minimize the risk.

The Spray and Pray Assault

A botnet harnessing over 130,000 compromised devices, presumably orchestrated by a Chinese-aligned group, is waging a vast-scale password hacking campaign against Microsoft 365 accounts. The main objective behind this scheme is to circumvent login protections such as 2FA by focusing on non-interactive sign-ins that utilize Basic Authentication – a protection mechanism Microsoft has long phased out due to its vulnerability.

Researchers have observed this tactic in various Microsoft 365 tenants across the globe, highlighting the widespread and enduring nature of this threat. Since these non-interactive sign-ins bypass 2FA or Conditional Access Policies (CAP) in many configurations, attackers capitalize on it to conduct high-volume password spraying campaigns, typically undetected by security teams.

“Non-interactive sign-ins, commonly utilized for service-to-service authentication, legacy protocols, and automated processes,” SecurityScorecard observed, but contain an Achilles' heel: Basic Authentication is still enabled in some environments, which means passwords are transmitted in plain text.

While Microsoft plans to retire Basic Authentication completely by September 2025, the researchers point out that the behavior described in this report constitutes an immediate threat.

Insight:

To safeguard against password spray attacks targeting Microsoft 365 accounts using Basic Authentication, organizations should take the following measures:

1. Disable Basic Authentication: Microsoft is phasing out Basic Authentication in favor of OAuth 2.0 by 2025. Organizations should disable Basic Authentication wherever possible to thwart attackers from utilizing it to bypass MFA.
2. Implement Multi-Factor Authentication: Enable MFA for all users, especially internet-facing login portals. This adds an additional layer of security that makes it harder for attackers to gain unauthorized access.
3. Enforce Strong Password Policies: Implement robust password policies that require strong, unique passwords for all users. Regularly update and rotate passwords to reduce the risk of compromised credentials.
4. Monitor Non-Interactive Sign-ins: Regularly monitor Entra ID logs for non-interactive sign-in attempts, which may indicate password spray attacks. Look for patterns like multiple failed login attempts from different IPs.
5. Use Conditional Access Policies: Implement CAPs to enforce MFA and restrict access based on user and device attributes. This can help limit the impact of compromised credentials.
6. Implement Password Protection Solutions: Use solutions like Entra ID Password Protection to block weak or compromised passwords across the organization.
7. Educate Users: Educate users about phishing techniques and the importance of strong passwords. Encourage them to report suspicious login attempts.
8. Centralize Identity Management: Integrate on-premises directories with cloud directories to centralize identity management. This helps in monitoring and responding to malicious access attempts.

By implementing these measures, organizations can significantly reduce their vulnerability to password spray attacks targeting Microsoft 365 accounts using Basic Authentication.

1. This password spray and pray assault campaign is specifically targeting Microsoft 365 accounts that still rely on Microsoft's basic authentication protections.
2. The attackers in this campaign are focusing on bypassing Microsoft's two-factor authentication (2FA) and Conditional Access Policies (CAP) by exploiting non-interactive sign-ins that utilize basic authentication.
3. Microsoft has long recognized the vulnerabilities of basic authentication and is in the process of deprecating it, with a complete retirement scheduled for September 2025.
4. Given the widespread and enduring threat of password spray attacks, it's likely that many Microsoft 365 tenants will remain vulnerable to such attacks until basic authentication is fully retired.
5. To mitigate the risk of password spray attacks, organizations should disable basic authentication where possible and implement multi-factor authentication (MFA) for all users.
6. Microsoft 365 tenants should also enforce strong password policies, monitor non-interactive sign-ins, and implement conditional access policies to restrict access based on user and device attributes.
7. In addition, organizations can use password protection solutions to block weak or compromised passwords and educate users about phishing techniques and the importance of strong passwords.

Read also: