AAD | Password Spray Attack


Previous articles:

In this article, I will show how you can run a Password Spray attack againt your Azure environment.

Password spray is one of the most popular attacks, accounting for more than a third of account compromise in organizations. In these attacks, bad actors try a few common passwords against many accounts from different organizations. Instead of trying many passwords against one user, they try to defeat lockout and detection by trying many users against one password. Effective forms of this attack are « low and slow,” where the bad actor uses thousands of IP addresses (such as from a botnet) to attack many tenants with a few common passwords. From any one tenant’s view, there are so few login attempts with such poor consistency that the attack is undetectable. A customer might only see one or two failed logins happen from these types of attacks once a day, so the attacks get lost in the noise of normal login patterns. They also bypass traditional protection like password lockout and malicious IP blocking. 

To conduct this attack, we will use the MSOLSpray tool.

Invoke-MSOLSpray -UserList .\userlist.txt -Password YourPassword

To detect this attack, I will invite you to use an Azure AD Premium P2 with the Azure Identity Protection feature : Password-spray detection risk alert.

Example of password spray attack



Démarrez une conversation

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *