{"id":90947,"date":"2020-04-23T09:00:22","date_gmt":"2020-04-23T16:00:22","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/?p=90947"},"modified":"2025-06-26T06:16:48","modified_gmt":"2025-06-26T13:16:48","slug":"protecting-organization-password-spray-attacks","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/04\/23\/protecting-organization-password-spray-attacks\/","title":{"rendered":"Protecting your organization against password spray attacks"},"content":{"rendered":"\n

When hackers plan an attack, they often engage in a numbers game. They can invest significant time pursing a single, high-value target\u2014someone in the C-suite for example and do \u201cspear phishing.\u201d Or if they just need low-level access to gain a foothold in an organization or do reconnaissance, they target a huge volume of people and spend less time on each one which is called \u201cpassword spray.\u201d Last December Seema Kathuria and I described an example of the first approach in Spear phishing campaigns\u2014they\u2019re sharper than you think!<\/a> Today, I want to talk about a high-volume tactic: password spray.<\/p>\n\n\n\n

In a password spray attack, adversaries \u201cspray\u201d passwords at a large volume of usernames. When I talk to security professionals in the field, I often compare password spray to a brute force attack. Brute force is targeted. The hacker goes after specific users and cycles through as many passwords as possible using either a full dictionary or one that\u2019s edited to common passwords. An even more targeted password guessing attack is when the hacker selects a person and conducts research to see if they can guess the user\u2019s password\u2014discovering family names through social media posts, for example. And then trying those variants against an account to gain access. Password spray is the opposite. Adversaries acquire a list of accounts and attempt to sign into all of them using a small subset of the most popular, or most likely, passwords. Until they get a hit. This blog describes the steps adversaries use to conduct these attacks and how you can reduce the risk to your organization.<\/p>\n\n\n\n

Three steps to a successful password spray attack<\/h2>\n\n\n\n

Step 1: Acquire a list of usernames<\/strong><\/p>\n\n\n\n

It starts with a list of accounts. This is easier than it sounds. Most organizations have a formal convention for emails, such as firstname.lastname@company.com<\/strong>. This allows adversaries to construct usernames from a list of employees. If the bad actor has already compromised an account, they may try to enumerate usernames against the domain controller. Or, they find or buy usernames online. Data can be compiled from past security breaches, online profiles, etc. The adversary might even get some verified profiles for free!<\/p>\n\n\n\n

Step 2: Spray passwords<\/strong><\/p>\n\n\n\n

Finding a list of common passwords is even easier. A Bing search reveals that publications list the most common passwords each year. 123456<\/strong>, password<\/strong>, and qwerty<\/strong> are typically near the top. Wikipedia lists the top 10,000<\/a> passwords. There are regional differences that may be harder to discovery, but many people use a favorite sports teams, their state, or company as a password. For example, Seahawks is a popular password choice in the Seattle area. Once hackers do their research, they carefully select a password and try it against the entire list of accounts as shown in Figure 1. If the attack is not successful, they wait 30 minutes to avoid triggering a timeout, and then try the next password.<\/p>\n\n\n\n

\"Protecting<\/figure>\n\n\n\n

Figure 1:  Password spray using one password across multiple accounts.<\/em><\/p>\n\n\n\n

Step 3: Gain access<\/strong><\/p>\n\n\n\n

Eventually one of the passwords works against one of the accounts. And that\u2019s what makes password spray a popular tactic\u2014attackers only need one successful password + username combination. Once they have it, they can access whatever the user has access to, such as cloud resources on OneDrive. Or use the exploited account to do internal reconnaissance on the target network and get deeper into the systems via elevation of privilege.<\/p>\n\n\n\n

Even if the vast majority of your employees don\u2019t use popular passwords, there is a risk that hackers will find the ones that do. The trick is to reduce the number of guessable passwords used at your organization.<\/p>\n\n\n\n

Configure Azure Active Directory (Azure AD) Password Protection<\/h2>\n\n\n\n

Azure AD Password Protection<\/a> allows you to eliminate easily guessed passwords and customize lockout settings for your environment. This capability includes a globally banned password list that Microsoft maintains and updates. You can also block a custom list of passwords that are relevant to your region or company. Once enabled, users won\u2019t be able to choose a password on either of these lists, making it significantly less likely that an adversary can guess a user\u2019s password. You can also use this feature to define how many sign-in attempts will trigger a lockout and how long the lockout will last.<\/p>\n\n\n\n

Simulate attacks with Office 365 Advanced Threat Protection (Office 365 ATP)<\/h2>\n\n\n\n

Attack Simulator in Office 365 ATP<\/a> lets you run realistic, but simulated phishing and password attack campaigns in your organization. Pick a password and then run the campaign against as many users as you want. The results will let you know how many people are using that password. Use the data to train users and build your custom list of banned passwords.<\/p>\n\n\n\n

Begin your passwordless journey<\/h2>\n\n\n\n

The best way to reduce your risk of password spray is to eliminate passwords entirely<\/a>. Solutions like Windows Hello<\/a> or FIDO2 security keys<\/a> let users sign in using biometrics and\/or a physical key or device. Get started by enabling Multi-Factor Authentication (MFA)<\/a> across all your accounts. MFA requires that users sign in with at least two authentication factors: something they know (like a password or PIN), something they are (such as biometrics), and\/or something they have (such as a trusted device).<\/p>\n\n\n\n

Learn more<\/h2>\n\n\n\n

We make progress in cybersecurity by increasing how much it costs the adversary to conduct the attack. If we make guessing passwords too hard, hackers will reduce their reliance on password spray.<\/p>\n\n\n\n