Botnet Hits Microsoft 365: The Need for Backup & Recovery

Introduction

A recent report by SecurityScorecard has uncovered a massive botnet-driven cyberattack targeting Microsoft 365 (M365) accounts. With over 130,000 compromised devices, this botnet is executing large-scale password spraying attacks, focusing primarily on organizations in Western countries. The attack highlights the urgent need for strong identity protection and robust backup and recovery strategies for Microsoft 365 and Microsoft Entra ID (formerly Azure AD).

• Massive botnet is targeting Microsoft 365 accounts across the world

• "Hackers, possibly of Chinese affiliation, are targeting organizations in the west with a large-scale password spraying attack, experts have claimed."

• "A report from cybersecurity researchers SecurityScorecard says businesses relying on Microsoft 365 office software for email, document storage, and collaboration, are at particular risk."

The botnet employs non-interactive sign-ins, a method typically used for service-to-service authentication, which does not trigger multi-factor authentication (MFA) challenges or other login security alerts.

How This Botnet Bypasses Security Defenses

Cybercriminals are using non-interactive sign-ins, an authentication method designed for service-to-service connections, to avoid triggering traditional security alerts and MFA challenges. This method enables attackers to evade access policies and compromise accounts without detection.

• “However, this campaign specifically targets Non-Interactive Sign-Ins, used for service-to-service authentication, which do not always generate security alerts. This enables attackers to operate without triggering MFA defenses or Conditional Access Policies (CAP), even in highly secured environments.”

Given that Microsoft Entra ID is the backbone of identity management for M365 these attacks underscore the critical need for identity security enhancements. More importantly, organizations must implement strong backup and recovery solutions to protect emails, files, and accounts from being lost or manipulated due to unauthorized access.

Who's Behind the Attack?

The infrastructure behind this botnet has been traced to CDS Global Cloud and UCLOUD HK, cloud service providers with operational links to China. Additional command-and-control servers have been found on SharkTech, a U.S.-based hosting provider previously associated with malicious activity. While attribution remains speculative, these findings suggest potential state-affiliated cybercriminal involvement.

How to Strengthen Your Microsoft 365 and Entra ID Security

To protect against botnet attacks, organizations must adopt a zero-trust approach, implement proactive security measures, and ensure robust backup and recovery strategies.

1. Enable Continuous Backup for Microsoft 365

• Use third-party backup solutions like Veeam for Microsoft 365 to create immutable backups of Exchange Online, SharePoint, Teams, and OneDrive.  

• Ensure retention policies align with compliance regulations to facilitate quick data recovery in case of an attack.  

• Regularly test backups to verify data integrity and accessibility.

2. Protect Microsoft Entra ID Against Credential Theft

• Enforce strong Conditional Access policies to limit access based on risk signals (e.g., device location, login behavior).  

• Implement Privileged Identity Management (PIM) to limit administrator access to just-in-time (JIT) permissions.  

• Back up Entra ID configurations and logs to recover identity settings in case of unauthorized changes.

3. Rotate Credentials and Monitor for Leaked Data

• Regularly rotate passwords for high-risk accounts and enforce passwordless authentication where possible.  

• Use Microsoft Defender for Identity to monitor for credential leaks on dark web marketplaces.  

• Enable password protection policies to block commonly used and weak passwords.

4. Disable Legacy Authentication Protocols

• Disable Basic Authentication for Exchange Online and legacy apps to prevent credential-based attacks.  

• Require OAuth-based authentication for all third-party apps accessing Microsoft 365.  

• Use Modern Authentication protocols (e.g., SAML, OAuth2) to enhance login security.

5. Implement Multi-Layered Disaster Recovery

• Deploy geo-redundant backup storage to protect against localized outages.  

• Regularly conduct recovery drills to validate data restoration processes.  

• Use Microsoft’s Compliance Center to monitor and enforce data security policies.

Final Thoughts

This botnet-driven attack underscores the importance of proactive identity security and data resilience in Microsoft 365. Microsoft Entra ID is at the heart of authentication, and securing it is crucial to preventing account takeovers and unauthorized access.

However, even with strong authentication and monitoring, attackers can still breach accounts, which is why having a reliable backup and recovery strategy is just as important as preventing the initial attack.

• Why Entra ID Protection Matters 

• Entra ID Risks and How Backup & Recovery Mitigate Them 

• The Top 10 Identity Threats and the Critical Role of Entra ID Backups

• Botnet Hits Microsoft 365: The Need for Backup & Recovery 

Organizations that fail to secure Entra ID and back up Microsoft 365 data risk losing control over critical business operations and becoming vulnerable to ransomware, insider threats, or credential-based attacks.