I want to bring to your attention a critical security issue that has recently come to light. A massive botnet comprising over 130,000 compromised devices is currently conducting password-spray attacks against Microsoft 365 (M365) accounts worldwide. These attacks exploit Basic Authentication (Basic Auth) to bypass Multi-Factor Authentication (MFA), posing significant risks to our organization's security.

Key Points:

• The botnet targets M365 accounts through Basic Auth, which transmits credentials in plaintext, making it vulnerable to attacks.
• Signs of these attacks can be detected in Entra ID logs, showing increased failed login attempts and non-interactive sign-ins.
• The botnet is likely linked to Chinese-affiliated threat actors and operates through U.S. and Hong Kong-based command and control servers.

Ongoing Vigilance and Monitoring:

1. Continue Disabling Basic Authentication: Ensure that Basic Auth remains disabled across all our systems to prevent these attacks from succeeding.
2. Maintain Enhanced Security Measures: Keep robust security measures such as MFA and Conditional Access Policies in place.
3. Regularly Monitor Logs: Consistently check Entra ID logs for any signs of increased failed login attempts or non-interactive sign-ins.

Why MFA is Crucial: Multi-Factor Authentication (MFA) adds an essential layer of security by requiring users to provide two or more verification factors to gain access to a resource such as an application or online account. This significantly reduces the risk of unauthorized access, even if an attacker manages to obtain a user's password. By using MFA, we can better protect our sensitive data and maintain the integrity of our systems.

For more detailed information, please refer to the article here.

Additionally, I encourage everyone to follow our security and maintenance updates to stay informed about the latest developments and best practices.

Your awareness and cooperation are crucial in protecting our organization from these threats. If you have any questions or need further assistance, please do not hesitate to contact the ACORD Help Desk.

You should have a desktop internet shortcut for quick access.

Thank you for your prompt attention to this matter.