New Password Spray Campaign Using Residential Proxies
A stealthy password spray campaign is using Virginia-based residential proxies. Here's what we're seeing and how to block it.
We previously investigated a widespread, stealthy password spray campaign originating from a data center in Mexico. Now we're tracking a newer variant that's even stealthier.
Campaign Snapshot
First observed: May 30, 2025. The malicious login attempts originate from IP clusters in Ashburn, Virginia.
- 154.206.240.0/20 (AS3257 GTT Communications Inc.)
- 154.208.64.0/21 (AS3257 GTT Communications Inc.)
- 154.208.112.0/21 (AS3257 GTT Communications Inc.)
All requests use an outdated user agent: microsoft office + android 9.0.0 + chrome 110.0.5481.

How to Block these IP Ranges
The recommendation is to hardcode the malicious IP ranges rather than depending on geolocation for defense.
Quick copy-paste: 154.206.240.0/20,154.208.64.0/21,154.208.112.0/21
The Rise of Residential Proxies
While these IPs aren't flagged as VPNs by most providers, investigation reveals they belong to the SOAX_PROXY network. SOAX aggregates traffic from consumer devices through embedded SDKs, then leases bandwidth to customers. This means:
- Requests appear from residential or mobile ISPs instead of data centers.
- IP reputation appears normal.
- User-agent strings frequently show outdated mobile fingerprints.
Attackers are increasingly using residential proxies to evade detection. This trend stems from massive demand for web scraping to fuel AI models, which has reduced residential proxy costs significantly.
Takeaway: Stealth is the Name of the Game
Residential proxies represent only part of the strategy. This campaign demonstrates careful evasion design:
- Approximately 90% of targeted users experience fewer than 10 attempts monthly.
- Most organizations see light, distributed probing (under 50 total users targeted).
- Individual failures resemble typical typos unless attack patterns are monitored across tenants.
Organizations managing Microsoft 365 environments should block the identified IP ranges and consider adaptive detections to stay ahead of these rapidly evolving attacks.
See what's in your last six months of logs.
Run six months of M365 logs through Petra and get insurance-grade forensics within 48 hours. Five minutes to set up with no sales call.

