Password Spraying - Low-and-Slow Account Attacks
About 2 min read
A password spraying attack is a technique in which commonly used passwords such as "123456" or "Password1" are tried against a large number of accounts, a few attempts at a time. By limiting the number of attempts against any single account, it avoids account lockout and becomes harder to detect. It is frequently observed in attacks against Microsoft 365 and Azure AD (now Entra ID), and in 2024 password spraying by state-sponsored attack groups was confirmed at several major technology companies.
Real-World Use Cases
"When we analyzed the Azure AD sign-in logs, we detected login attempts using the same password 'Company2024!' against more than 200 accounts. Each account was tried only once and no lockout occurred, so we have determined this to be a password spraying attack."
Attack Pattern Diagram
The Difference from a Brute-Force Attack
Whereas a brute-force attack tries a huge number of passwords against a single account, password spraying tries a single password against many accounts. Brute force can be easily detected and defended against with account lockout, but because password spraying makes only one or two attempts per account, it never reaches the lockout threshold. It also differs from credential stuffing: rather than using a leaked password list, it uses statistically common shared passwords.introductory books on authentication security (Amazon) provide a systematic way to learn.
Countermeasures
The most effective defense is to use a long, random password generated by a tool like passtsuku.com, eliminating the simple passwords that appear in common password lists. At the organizational level, company-wide adoption of multi-factor authentication (MFA) is a decisive countermeasure. Azure AD smart lockout and detection of anomalous patterns in authentication logs (the same password failing across many accounts in a short period) are also effective. See also the details of password spraying attacks.books on account protection (Amazon) are also helpful references.
Was this article helpful?