A Chinese botnet of over 130,000 devices has been detected to be attacking M365 accounts recently using outdated authentication for a Password Spray attack.
Password spray attacks are a type of brute-force attack, but they work differently from traditional attempts. Instead of trying multiple passwords against a single account, attackers try a few common passwords across many accounts. This allows them to bypass traditional security measures like account lockout policies. Combined with using legacy authentication methods, they bypass most of the security of the M365 platform such as MFA and lockout policies. If an attacker gains access to just one account, they can often move laterally, access emails, sensitive documents, and even cloud storage!
Signs Your M365 Account Is Being Targeted
Small businesses need to be aware of the warning signs:
- Multiple failed login attempts from different locations – If you notice login attempts from various geographic regions where you don’t operate, that’s a red flag.
- Unusual login patterns – If users report login notifications from unfamiliar places, an attacker may be testing passwords.
- Unexpected account lockouts – Some users may experience account lockouts due to repeated failed attempts.
- Access attempts during odd hours – Attackers often work during non-business hours to avoid detection.
Monitoring of signs such as these are critical to ensure your M365 environment remains secure.
How To Protect Against Password Spray Attacks?
Due to the way Password Spray Attacks work there are certain key methods to protect against them:
- Enforce Strong Password Policies – by avoiding weak passwords you mitigate one of the vectors in this type of attack. Combined with MFA you have a great base level of security.
- Leverage M365 features. Conditional Access allows you to set rules which help mitigate attacks and ensure only valid logins work.
- Smart Lock out policies allow you to block locations and IPs which are suspicious.
- Risk Based Authentication allows you to detect risky logins and prompt for further verification.
- Remove legacy authentication. If you don’t need POP3 and IMAP disable them!
- Educate Employees – the people on the front line are the first line of defence!
👉 Contact Us if you want a free M365 security health check!
