Password Spraying
Password spraying is an attack technique in which an adversary attempts to compromise user accounts by attempting to authenticate with a curated list of passwords that are either frequently used or likely to be used by their target. Password spraying can be conducted by an external adversary against any internet-facing system or SaaS application, or by an adversary that has gained a foothold within the network and is seeking to widen their access.
Frequent targets for password spraying include VPN servers, web-based email applications, and single sign-on providers. Unlike credential stuffing where an adversary is targeting specific users with previously compromised passwords, password spraying is about trying common or likely passwords against as many users as possible. Thus, many adversaries structure their attacks to avoid detection, perhaps only trying one password for each user account at a time or waiting some time between each attempt.
Threat Summary
Target:
Active Directory, Azure AD, other public applications
ATT&CK® Tactic:
Credential Access
ATT&CK Technique:
Difficulty
Detection:
Hard
Mitigation:
Medium
Response:
Low
How Password Spraying Works
Hover to see each step
Detect, Mitigate, and Respond
Difficulty: Hard
Detection of password spraying is relatively difficult: the volume of authentications and a large number of services requiring monitoring lead to large data sets requiring complex analysis. Some providers may offer password spray detection and prevention in their own security controls, but aggregating all applications and analyzing authentication events for the signs and symptoms of password spraying (such as failed authentication attempts from the same source against multiple users) is important.
Difficulty: Medium
Password spraying can be mitigated by adopting healthy authentication practices (good passwords and multi-factor authentication) and ensuring that applications you build or consume offer defenses against brute force password attacks. NIST Special Publication 800-63B provides current guidance for strong authentication approaches and brute force defenses.
Difficulty: Low
When a suspected password spray attack is detected, actions can be taken to block continued activity and remediate any compromised accounts.
- Activate the incident response process and alert the incident response team
- Block the source of the password spray at the network and/or application-level to prevent future authentication attempts. If the password spray is from an internal machine, then it should be quarantined for investigation, as well as eradication and recovery activities
- Reset the password for any user whose password was compromised in the attack