Attackers Don’t Hack In—They Log In: The MFA Blind Spot

March 4, 2025
Lucie Cardiet
Product Marketing Manager
Attackers Don’t Hack In—They Log In: The MFA Blind Spot

High-profile campaigns — such as the massive botnets targeting Microsoft 365 and the Mango Sandstorm attack—demonstrate the scale and sophistication of modern credential-based threats. These incidents highlight how attackers are no longer relying on brute-force hacking but are instead orchestrating coordinated efforts that exploit stolen credentials to gain access.

A notable trend is the use of noninteractive sign-ins to bypass conventional security alerts. By targeting automated authentication processes, commonly used for service accounts, attackers can avoid the triggers set off by multifactor authentication and conditional access policies. This subtle method permits unauthorized access without the usual red flags that alert security teams.

Anatomy of a Mango Sandstorm attack

Attackers are increasingly using compromised devices to perform these noninteractive logins. The distributed nature of large botnets enables threat actors to conduct high-volume password spraying attacks, where each compromised device plays a role in testing stolen credentials. This strategy minimizes detection risk and challenges traditional security controls due to the sheer volume of login attempts.

Furthermore, insights into the infrastructure reveal that robust command-and-control setups —often leveraging globally distributed networks like U.S.-based C2 servers—are central to these operations. This enhances attackers’ operational resilience and emphasizes the need to monitor both authentication pathways and the underlying infrastructure supporting these stealthy attacks.

Why traditional authentication protections are insufficient

Passwords remain a common entry point for attackers, yet the mechanisms designed to protect them can be outsmarted when they operate in unexpected ways. Attackers now exploit noninteractive sign-ins—automated authentication processes used for service accounts—to bypass traditional multifactor authentication controls. This method enables malicious activity to continue under the radar, even in systems that appear secure.

To counter these emerging vulnerabilities, it’s essential to understand how password spraying techniques have evolved, why focusing solely on interactive login protection is insufficient, and what technical measures can secure every facet of identity authentication.

The vulnerabilities of MFA in noninteractive environments

Gaps in MFA effectiveness

Multifactor authentication (MFA) is highly effective for securing interactive logins, where users actively enter credentials and pass additional verification steps. However, MFA falls short when it comes to noninteractive, service-to-service authentication.

Legacy protocols, like Basic Authentication, remain particularly vulnerable in this context, as they often do not support or trigger MFA challenges. This creates a significant gap in environments that may otherwise appear secure, allowing automated processes and service accounts to operate with minimal oversight.

Consequences of overlooked sign-Ins

The risks associated with noninteractive sign-ins extend beyond mere unauthorized access. Once attackers gain entry, they can move laterally within the network, steal credentials, and maintain a persistent presence without detection. These breaches often go unnoticed because they bypass traditional alerts designed for interactive sessions.

Recent industry examples, such as the massive Microsoft 365 botnet attack, underscore the inadequacy of relying solely on preventative measures.

Instead, a comprehensive approach that includes robust monitoring and detection of all authentication pathways is essential to mitigate these evolving threats.

Strengthening identity security with a hybrid detection & response

Approach A robust hybrid identity Detection & Response strategy blends preventative controls with proactive monitoring. By continuously reviewing noninteractive sign-in logs, regularly rotating credentials, and disabling vulnerable legacy protocols, organizations can establish multiple layers of defense. This approach not only blocks unauthorized access attempts but also ensures real-time detection and response to anomalies, securing every authentication pathway.

Bridging the detection gap with AI

Advanced AI-driven analytics play a critical role in capturing subtle irregularities that traditional security tools often miss. Our recent ebook, Close Microsoft Threat Detection, Investigation and Response Gaps With Vectra AI, illustrates how real-world attack simulations reveal attackers simply logging in with stolen credentials instead of "hacking in."

These simulations highlight the risks posed by noninteractive sign-ins—where lateral movement, credential theft, and undetected breaches occur. The insights underscore that without continuous monitoring and threat intelligence, organizations remain vulnerable despite robust MFA for interactive logins.

Closing the gaps with the Vectra AI Platform

The Vectra AI Platform is purpose-built to mitigate vulnerabilities by uniting AI-powered detection with proactive threat hunting. It continuously monitors authentication logs, pinpointing subtle anomalies and triggering real-time alerts that empower security teams to intervene before lateral movement or credential misuse escalates. Even environments fortified with MFA for interactive sessions can remain exposed through service account vulnerabilities.

For instance, in a Midnight Blizzard attack scenario—as illustrated in the graph below—Vectra detects malicious behavior at each stage of the kill chain, from password spraying with compromised credentials to unauthorized privilege escalation. Vectra is also closely monitoring and continuously innovating to stay ahead these evolving attacker techniques in non-interactive signs.

Anatomy of a Midnight Blizzard attack

Closing the loop on vulnerabilities

Attackers are exploiting noninteractive sign-ins to bypass conventional defenses, leaving many systems vulnerable despite MFA. Adopting a hybrid Detection & Response strategy that leverages advanced analytics and proactive threat hunting is crucial to secure every authentication channel.

Discover how the Vectra AI Platform can fortify your defenses. Schedule a demo today to learn more about Vectra AI’s comprehensive protection.

FAQs