Microsoft warns of an increase in password spraying attacks

Pierluigi Paganini November 01, 2021

The Microsoft Detection and Response Team (DART) warns of a rise in password spray attacks targeting valuable cloud accounts.

The Microsoft Detection and Response Team (DART) observed a worrisome rise in password spray attacks targeting privileged cloud accounts.

Password spraying is a type of brute force attack where the attackers carry out brute force logins based on a list of usernames with default passwords on the application. In this attack scenario, threat actors use one password against many different accounts on the application to avoid account lockouts that would normally trigger when brute forcing a single account with many passwords.

Password spray methods ordinary used by attackers could be:

  • Low and slow: Attackers employ a large number of individual IP addresses to attack multiple accounts at the same time with a limited number of curated password guesses.
  • Availability and reuse: Attackers can use data from past data breaches to carry out “credential stuffing” attacks relying on the bad habit of people of reusing passwords and usernames across multiple sites.

Microsoft DART researchers warn of attacks against specific cloud administrator accounts, for this reason, they highlight the importance of assessing and protecting the users with the below permissions:

  • Security administrator
  • Exchange service administrator
  • Global administrator
  • Conditional Access administrator
  • SharePoint administrator
  • Helpdesk administrator
  • Billing administrator
  • User administrator
  • Authentication administrator
  • Company administrator

“It’s important to understand the targets of the password spray to correctly determine the scope of the potential compromise. Recently, DART has seen an uptick in cloud administrator accounts being targeted in password spray attacks, so understanding the targets is a good place to start.” states Microsoft DART’s report.

Tools like the Microsoft Cloud App Security portal are very useful to check for suspicious activity, some specific alerts can allow detecting password spray attacks. Below a list of alerts to check recommended by Microsoft:

  • Activity from anonymous IP address.
  • Activity from infrequent country.
  • Activity from suspicious IP address.
  • Impossible travel.

“In addition to privileged accounts such as these, identities with a high profile (such as C-level executives), or identities with access to sensitive data are also popular targets. It is easy to make exceptions to policy for staff who are in executive positions, but in reality, these are the most targeted accounts. Be sure to apply protection in a democratic way to avoid creating weak spots in configuration.” continues Microsoft.

A best practice to prevent these attacks is to enforce multi-factor authentication (MFA) across all accounts.

In January, Cybersecurity and Infrastructure Security Agency (CISA) revealed that threat actors behind the SolarWinds supply chain attack also employed common hacker techniques to compromise the networks of the targeted organizations, including password guessing and password spraying.

Researchers at Microsoft Threat Intelligence Center (MSTIC) and Microsoft Digital Security Unit (DSU) recently uncovered a malicious activity cluster, tracked as DEV-0343, that is targeting the Office 365 tenants of US and Israeli defense technology companies.

Threat actors are launching extensive password spraying attacks aimed at the target organizations, the malicious campaign was first spotted in July 2021.

“DEV-0343 is a new activity cluster that the Microsoft Threat Intelligence Center (MSTIC) first observed and began tracking in late July 2021. MSTIC has observed DEV-0343 conducting extensive password spraying against more than 250 Office 365 tenants, with a focus on US and Israeli defense technology companies, Persian Gulf ports of entry, or global maritime transportation companies with business presence in the Middle East.” reads the post published by Microsoft. “Less than 20 of the targeted tenants were successfully compromised, but DEV-0343 continues to evolve their techniques to refine its attacks.”

Microsoft provides the following mitigations to prevent password spray attacks:

  • Brute force preventation should be on both field, i.e., Username and Password.
  • Set account lockout policies after a certain number of failed login attempts to prevent credentials from being guessed. Implement CAPTCHA, if lockout is not a viable option.
  • The admin managed application should force users to change their password on first login with default password.
  • Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, password spraying)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment