Hackers actively exploiting Microsoft 365 Flaw to bypass MFA, security researchers warn

Security researchers have uncovered a massive password-spraying campaign that exploits a critical vulnerability in Microsoft 365 authentication processes, rendering two-factor authentication (2FA) ineffective. The campaign, orchestrated by a botnet of 130,000 compromised devices, bypasses MFA enforcement using non-interactive sign-ins, according to a new report by SecurityScorecard.

How the attack works

The attackers leverage non-interactive sign-ins, a method that requires no direct user input and is handled by the platform or client application. This process often doesn’t trigger MFA, allowing cybercriminals to gain unauthorized access to Microsoft 365 accounts without alerting security defenses. The attack specifically exploits basic authentication, an outdated method that transmits user credentials in plain text.

SecurityScorecard's STRIKE team first detected the campaign after identifying a surge of failed sign-in attempts in non-interactive sign-in logs within a Microsoft 365 tenant. Upon investigation, the team traced the attack infrastructure to multiple recurring IP addresses, including six linked to servers hosted by SharkTech, a US-based provider known for hosting malicious activities. Additional proxy servers were traced to hosting providers with ties to China.

A four-hour snapshot of network activity revealed that C2 (command and control) servers were communicating with over 130,000 compromised devices. The botnet used stolen credentials from infostealer logs to launch a massive password-spraying campaign, systematically attempting logins across various Microsoft 365 accounts. This method minimizes account lockouts while maximizing the likelihood of compromise.

Critical blind spot for security teams

A key concern highlighted in the report is that many organizations are blind to these attacks. Since non-interactive sign-ins using basic authentication do not always trigger security alerts, attackers can conduct high-volume password-spraying attempts without being detected. Furthermore, these attacks can also bypass conditional access policies (CAPs), adding another layer of stealth to the operation.

Ongoing threat and Microsoft’s response

SecurityScorecard emphasized that this tactic represents a "widespread and ongoing threat" affecting multiple Microsoft 365 tenants. Organizations relying solely on interactive sign-in monitoring will be completely unaware of these intrusions. Microsoft is gradually deprecating basic authentication, with full retirement expected in September 2025, but until then, businesses remain at risk.

Mitigation strategies

To protect against this emerging threat, security teams should take the following steps immediately:

• Review non-interactive sign-in logs for signs of unauthorized access attempts.

• Rotate credentials for accounts flagged in recent sign-in attempts.

• Disable basic authentication and other legacy authentication protocols.

• Monitor for stolen credentials linked to their organization in infostealer logs.

• Implement conditional access policies (CAPs) that restrict non-interactive login attempts.

As cybercriminals continue to evolve their tactics, organizations must stay ahead by modernizing their authentication strategies and implementing stricter security controls. Until Microsoft fully phases out basic authentication, businesses remain vulnerable to attacks that can bypass even the strongest MFA defenses.