Password spraying is a cyber threat that exploits weak passwords in order to easily compromise user accounts. That means it is critical to enforce strict access controls when authenticating users into a system.
This article provides an overview of password spraying attacks, including how they work and a few real-world examples of these attacks. I’ll also look at how these attacks impact businesses, along with mechanisms to detect and prevent them.
What is password spraying?
A password spraying attack is a type of cyberattack where the attacker tries to gain access to user accounts by using one or more commonly used passwords across multiple accounts.
Technique T1110.003 in the MITRE ATT&CK Framework, Password spraying differs from a typical brute-force attack, where attackers try many passwords against a specific user account. However, we can consider spraying a type of brute force attack — it involves a trial-and-error approach of “spraying” a single password across many accounts until a match is found.
This approach enables attackers to avoid countermeasures like account locking when specific login attempts with different passwords have been exceeded. Thus, it is difficult to detect password-spraying attacks without proper detection methods. These password-spraying attacks often target federated authentication used in single sign-on (SSO) and cloud-based applications. Once the attacker gains initial access, they can later access the critical data of organizations.
How password spraying attacks work
Password spraying attacks are carried out in three steps.
Step 1. Get the list of usernames
First, the attacker must obtain a list of usernames. This isn’t so difficult, thanks to common email formats. For example, most companies use a standard email format such as:
Sometimes, usernames corresponding to those emails can be found in social media or with simple Google searches. Additionally, attackers can acquire usernames from the dark web.
Step 2. Spray passwords
Next, the attacker must obtain a list of commonly used passwords — which is easily findable online. To avoid detection, attackers usually conduct password spraying slowly. Additionally, attackers can utilize toolkits to automate the spraying process.
Step 3. Access the account & spread the attack to compromise user data
Once the spraying attack is successful, the attacker will gain access to multiple accounts of the victim, if the same password is used across those accounts. That means attackers can further spread and compromise user data based on the accounts and privileges of that user.
Password spraying vs. credential stuffing: One major difference
Password spraying and credential stuffing often go hand in hand. Both are brute-force attacks that aim to acquire unauthorized access to user accounts. Yet there is a difference between these two types of attacks.
Credential stuffing involves using many username and password combinations obtained by attackers. In the meantime, password spraying attacks involve trying a single or a small number of commonly used passwords against many user accounts.
As a general rule of thumb, we can say that password-spraying attacks are typically carried out against a specific target and thus can be more difficult to detect than credential stuffing.
Examples of password-spraying attempts
User accounts with weak passwords and poor authentication mechanisms will often become the victims of password-spraying attacks. The following are some real-world examples of password spraying attacks that have prompted organizations to strengthen their security measures.
Microsoft Exchange Online (October 2022)
In October 2022, Microsoft warned that password spray attacks were targeting users of Exchange Online who used basic authentication. The attackers made these users deprecate Basic Auth for Exchange Online. The Exchange Team at Microsoft later clarified that the decision to disable basic authentication in Exchange Online was made solely to protect user accounts and data against growing password spraying attacks.
Between October 13, 2018, and March 8, 2019, a password spraying attack successfully gained unauthorized access to Citrix's internal network.
The organization confirmed that their business documents and files were stolen. According to Citrix, the individual virtual drives and company email accounts of a few users were compromised, and the attackers had also targeted multiple internal applications.
Microsoft Office 365 (2019)
In 2019, a group of attackers conducted a password-spraying attack targeting Microsoft Office 365 accounts. They accesses 1,800 email accounts of customers by using a list of passwords obtained from previous data breaches.
The impact of password spraying attacks
As we see from these examples, password spraying is a severe cyberattack that can have significant impacts on businesses.
If attackers gain access to systems or accounts of an organization through password spraying, they could leverage those account privileges to access sensitive information such as financial and customer data. Those kinds of data breaches will damage the reputation of the business, especially if the attackers compromise customer data. Customers will lose trust in your business, resulting in high turnover rates.
Additionally, businesses will have to bear the costs of remediation and damage control after a data breach. They may also be subject to penalties for failing to secure their systems and data. It can also include legal liabilities from regulatory agencies, customers, partners, and other stakeholders. Such consequences may result in:
- Huge financial losses
- A loss of revenue for the business
Furthermore, password spraying attacks can reduce the productivity of IT teams, disrupting their important work as they focus on identifying and remediating the source of the attack. Thus, businesses must implement strong security mechanisms such as multi-factor authentication and strong password policies to eliminate these attacks.
(Get the latest incident review best practices & metrics.)
Detecting password-spraying attacks: signs you’re being attacked
The following are some signs that indicate your accounts are undergoing a password-spraying attack.
A sudden increase in failed login attempts
Suppose your IT teams monitor login attempts for multiple user accounts. Today, they notice a sudden increase in failed login attempts or locked accounts and it might indicate that a password-spraying attack is underway.
You can confirm the attack by checking the used passwords and verifying that they are a list of compromised passwords used to gain access to accounts earlier. The attackers may also use outdated login information, such as the credentials of former employees — this would indicate that attackers have accessed outdated employee directories.
Unusual account access patterns
If you analyze login attempts, you may notice unusual login patterns that deviate from normal account access behaviors. For example:
- Logins that access the accounts outside of normal business hours or from unusual IP addresses.
- An abnormal surge in network traffic or bandwidth usage could be a sign of a password-spraying attack.
Monitoring and analytics with Machine Learning can be useful in identifying these unusual access patterns.
(Learn how to detect password spraying attacks with Splunk.)
How to avoid & mitigate password-spraying attacks
And now we can talk about ways to prevent these sorts of attacks. Businesses can implement various security measures to prevent password spraying attacks. Here are some options.
Implement a strong password policy
Password-spraying attacks typically target weak passwords that are easy to guess. Thus, businesses must enforce strong password policies, such as:
- Requiring a combination of uppercase and lowercase letters, numbers, and special characters to create complex passwords.
- Prohibiting passwords that can be easily guessed or have been previously used.
Additionally, you must enforce a strong password reset policy. For example, passwords should be reset frequently, such as once every three months, making it difficult for attackers to access an account. Moreover, businesses should quickly remove dormant user accounts or users who no longer access or use their systems.
Control the number of login attempts
Avoid entering passwords an unlimited number of times. While modern systems do not allow that, there can still be some legacy systems that allow such practices. It is essential to lock out the account after a certain number of failed login attempts. Then it will be difficult for attackers to carry out brute-force attacks to guess the correct password.
Monitor with alerting
Regularly monitoring and analyzing login attempts can help organizations proactively detect and eliminate password spraying attacks. It includes detecting anomalies such as multiple failed attempts from a single IP address and sudden increases in network traffic.
Once any suspicious activity is detected, organizations can send alerts to notify security teams. Then they can take necessary actions such as blocking the attacker, disabling compromised accounts, and implementing multi-factor authentication.
(Read the full guide to monitoring & observability.)
Implement multi-factor authentication (MFA)
MFA adds an extra layer of security to the login process by requiring two or more authentication mechanisms. For example, once the user has provided the correct password, MFA will require him to enter a security code sent via SMS or to use an authenticator app to approve the sign-in process.
This makes it more difficult for attackers to access an account, even if they have obtained the correct password.
All these preventive measures will be in vain if users are not aware of the risks associated with user accounts and the importance of using strong passwords and MFA. Thus, it is crucial to educate users on password-spraying attacks and how to avoid them. This includes encouraging them to use unique passwords for each account and enable multi-factor authentication whenever possible.
Summing up password spraying
Password spraying is a type of brute-force cyberattack where the same password or a list of common passwords is used to gain access to multiple user accounts. Although similar to credential stuffing attacks, they differ from each other in a few ways. The many documented cases of password-spraying attacks worldwide illustrate the serious consequences for businesses if attackers gain access to sensitive data.
You can detect password-spraying attacks by monitoring unusual login attempts and account access behavior. There are several ways to mitigate these attacks, such as by enforcing strong password policies and implementing MFA.
What is Splunk?
This posting does not necessarily represent Splunk's position, strategies or opinion.