In an era where stolen credentials are traded like currency in criminal markets, cyber attackers are evolving their tactics faster than most organizations can adapt. Microsoft’s Threat Intelligence team has issued a stark warning against a rising tide of password spraying attacks, with a particular spotlight on a sophisticated campaign orchestrated by a threat actor labeled Storm-1977.
The group has been observed targeting cloud tenants particularly in the education sector by exploiting neglected and insecure workload identities within containerized environments.
These types of attacks, often described as “spray and pray,” rely on guessing commonly used passwords across many accounts instead of targeting one account with multiple guesses. They are especially potent against accounts without multi-factor authentication (MFA), which remains alarmingly underutilized.
According to Microsoft, the attackers made use of a tool named AzureChecker, which was leveraged to download encrypted target lists. When decrypted, these files revealed usernames and passwords that were then sprayed against login interfaces. The end goal? Unauthorized access, container exploitation, and eventually cryptomining at scale.
A Perfect Storm: Exploiting Dormant Identities in Containerized Infrastructure
The vulnerability at the heart of this campaign lies in dormant workload identities—non-human accounts and credentials used for automated or machine-based operations within cloud infrastructure. Microsoft reports that 51% of such identities had not been used in over a year, making them prime targets for exploitation.
Storm-1977 didn’t stop at access. Once a foothold was gained, the attackers used a compromised guest account to create a new subscription resource group, spawning more than 200 containers dedicated to illicit cryptomining operations.
These containers ran unnoticed until the suspicious activity was flagged by telemetry and behavior analytics.
The malicious workflow starting with the AzureChecker tool and culminating in full container deployment showcases a concerning trend: attackers increasingly targeting container-as-a-service (CaaS) environments, where misconfigured interfaces and identity sprawl present a wide attack surface.
Microsoft emphasized that while operational infrastructure and critical systems weren’t compromised, these attacks signal a broader need to address non-traditional identities, such as service accounts, which often lack proper governance and visibility.
The Passwordless Future: A Security Imperative, Not a Luxury
Cybersecurity professionals have long advocated for eliminating passwords altogether—a vision that is slowly materializing with the rise of passkeys, biometric authentication, and hardware tokens. Experts warn that clinging to password-based security, especially without MFA, leaves organizations vulnerable to brute-force and spray-based attacks.
While adoption remains inconsistent, the push toward passwordless architectures is gaining momentum, particularly among developers building custom authentication systems. Brian Pontarelli of FusionAuth noted that while “passkeys are both the most and least understood feature,” their momentum among forward-looking development teams is growing.
ALSO READ: Call for Cyber Experts: Join FCRF Academy as Trainers and Course Creators
Microsoft’s Recommendations: How to Stay Safe from Password Spraying Attacks
In light of the Storm-1977 attack campaign, Microsoft advises organizations especially those with cloud workloads or Kubernetes environments—to take the following steps:
- Implement strong authentication for all internet-facing interfaces.
- Enable MFA wherever possible, including for service accounts.
- Avoid using unauthenticated endpoints like Kubelet’s read-only port (10255).
- Use role-based access control (RBAC) to restrict privileges strictly to what’s necessary.
- Monitor and audit dormant identities regularly and retire or rotate credentials.
Microsoft’s investigation continues, and additional disclosures may follow. Meanwhile, the cybersecurity community views this campaign as a wake-up call—reminding businesses that identity is the new perimeter, and it’s one that can’t be left unattended.