Category: Attack Techniques

Password Spraying

Also known as: Password Spray Attack, Low-and-Slow Brute Force

Simply put

Password spraying is a type of cyberattack where an attacker tries a small number of commonly used passwords against a large number of user accounts. Unlike traditional brute force attacks that try many passwords against a single account, password spraying spreads attempts across many accounts to avoid triggering lockout policies. The goal is to gain unauthorized access to at least one account without detection.

Formal definition

Password spraying is a credential-based account takeover (ATO) attack technique classified as a variant of brute force. The attacker iterates through a list of valid or probable usernames, attempting one or a small set of commonly used or default passwords per account per authentication cycle. This approach is designed to remain below per-account failed-login thresholds that would trigger lockout or alerting controls. The attack typically relies on a curated list of high-frequency passwords combined with harvested or enumerated usernames. Because the number of attempts per account is intentionally kept low, traditional single-account lockout mechanisms are often insufficient as a sole control. Detection typically requires cross-account anomaly analysis at the identity provider or authentication layer, examining patterns such as distributed low-volume failures across many accounts within a defined time window.

Why it matters

Password spraying is effective precisely because it exploits a gap between how lockout policies are designed and how attackers operate. Traditional account lockout controls are scoped to per-account failure counts, and password spraying deliberately stays below those thresholds by distributing attempts across many accounts. This means the attack can succeed silently, with no single account ever triggering an alert, even as the attacker cycles through hundreds or thousands of usernames. A single compromised account is often sufficient for an attacker to establish an initial foothold, escalate privileges, or move laterally within a network.

The technique is particularly dangerous in environments where users rely on weak or commonly reused passwords, and where authentication systems lack cross-account anomaly detection. Cloud-based identity providers and single sign-on systems are frequent targets because a successful spray against one account can grant access to many downstream services. Organizations that have not implemented multi-factor authentication are especially exposed, since password-only authentication offers no additional barrier once valid credentials are obtained.

Password spraying has been documented as a tactic used in significant intrusion campaigns against enterprise and government targets. Microsoft has published incident response playbook guidance specifically addressing password spray detection, reflecting how frequently this technique appears in real-world investigations. The combination of low technical complexity, high scalability, and limited detection surface makes password spraying a persistent threat across industries.

Who it's relevant to

Security Operations and Incident Responders

Security operations teams are on the front line of detecting and responding to password spraying. Because spraying attempts are deliberately low-volume per account, standard lockout alerts are typically insufficient. Detection requires cross-account correlation, looking for distributed authentication failures across many accounts within a time window. Incident responders investigating a suspected spray should consult identity provider logs, authentication system telemetry, and any available behavioral baselines to distinguish spraying patterns from normal login noise. Microsoft's published incident response playbook for password spray attacks provides a structured framework for this investigation process.

Identity and Access Management (IAM) Engineers

IAM engineers are responsible for configuring the controls that either enable or constrain password spraying as an attack surface. Key mitigations include enforcing multi-factor authentication, implementing risk-based or adaptive authentication policies, and configuring identity providers to detect and respond to anomalous cross-account authentication patterns. Per-account lockout policies alone are not sufficient to stop spraying. IAM teams should also evaluate whether authentication endpoints are exposed in ways that allow unauthenticated enumeration of valid usernames, since username harvesting typically precedes a spray campaign.

Application Developers

Developers building authentication flows should understand that password spraying targets the authentication layer directly, and that application-level controls are part of the defensive stack. Applications that implement their own authentication rather than delegating to a centralized identity provider may lack the cross-account visibility needed to detect spraying. Relevant considerations include whether the application enforces rate limiting at the application level, whether it returns information that aids username enumeration, and whether it integrates with centralized logging systems that can surface distributed failure patterns.

Security Architects

Security architects should treat password spraying as a baseline threat model assumption when designing authentication infrastructure. Architectures that consolidate authentication through a centralized identity provider or single sign-on system create a single point where cross-account anomaly detection can be applied effectively. Architects should also consider the blast radius of a successful spray: in environments where one set of credentials grants access to many systems, the impact of a single compromised account is significantly higher. Defense-in-depth designs should assume that password-only authentication controls will eventually be bypassed and include compensating controls such as MFA and privileged access management.

Compliance and Risk Professionals

Password spraying represents a concrete, well-documented attack technique that compliance and risk teams should account for in risk assessments and control frameworks. Controls relevant to mitigating spraying, such as MFA requirements, authentication anomaly monitoring, and password policy enforcement, map to requirements in frameworks addressing access control and account security. Risk professionals should note that password spraying is low-cost and scalable for attackers, meaning that the likelihood component of risk assessments should reflect its accessibility as an attack technique, not just its technical sophistication.

Inside Password Spraying

Credential List

A curated set of commonly used or breached passwords, typically including seasonal patterns, default credentials, and passwords from prior data breaches, used as the spray payload across target accounts.

Target Account Enumeration

A preliminary phase in which valid usernames or account identifiers are gathered, often through OSINT, directory exposure, or authentication response differences, to build the list of accounts to spray.

Low-and-Slow Timing Strategy

The deliberate spacing of authentication attempts across time and, in some cases, across source IP addresses, to remain below account lockout thresholds and avoid triggering rate-based detection controls.

Account Lockout Threshold Awareness

The attacker's operational knowledge of the target environment's lockout policy, which governs how many failed attempts per account are permitted before lockout, directly shaping the pacing and volume of the attack.

Distributed Source Infrastructure

The use of multiple IP addresses, proxies, or compromised hosts to distribute authentication attempts, reducing the per-source request volume and evading IP-based blocking or alerting.

Authentication Protocol Targeting

The selection of specific authentication endpoints or legacy protocols (such as IMAP, SMTP, or legacy OAuth flows) that may bypass modern MFA controls or conditional access policies, maximizing the attack's chance of success.

Common questions

Answers to the questions practitioners most commonly ask about Password Spraying.

Does password spraying always trigger account lockout policies?

No. Password spraying is specifically designed to avoid account lockout by attempting only one or a few passwords per account before moving on. When the attempt rate stays below the lockout threshold, traditional lockout-based defenses typically do not trigger, which is one reason the technique is effective against organizations that rely solely on lockout policies for brute-force protection.

Is password spraying only a threat to external-facing systems?

No. While password spraying is commonly associated with attacks against external services such as VPNs, webmail, and cloud portals, it is also used internally after an attacker has gained a foothold on a network. Internal systems, Active Directory environments, and intranet applications are all potential targets, so defenses should not be scoped exclusively to perimeter-facing assets.

How should organizations configure detection rules to identify password spraying attempts?

Effective detection typically involves monitoring authentication logs for patterns where a single source attempts authentication against many distinct accounts within a defined time window, even if each individual account sees only one or two failures. Thresholds should be tuned to the environment's normal authentication volume to reduce false positives, and rules should account for distributed attempts that may originate from multiple source IPs.

What logging and visibility prerequisites are needed to detect password spraying effectively?

Organizations generally need centralized collection of authentication logs from all relevant systems, including identity providers, VPNs, cloud services, and on-premises directory services. Logs must capture, at minimum, the source IP, the targeted account, the timestamp, and the authentication outcome. Without aggregation across systems, spraying attempts that are distributed across multiple services may not be visible as a coordinated pattern.

Which defensive controls are most practical for reducing exposure to password spraying?

Multi-factor authentication is widely considered the most effective control because a successful password guess alone is insufficient to complete authentication. Complementary controls include monitoring for the cross-account failure patterns described above, enforcing minimum password complexity to reduce the effectiveness of commonly used passwords, and implementing conditional access policies that flag or challenge authentications from unfamiliar locations or devices.

How should incident responders scope an investigation when password spraying is suspected?

Responders should gather authentication logs across all identity systems for the relevant time window and look for accounts that received failed attempts even if the attempts did not reach the lockout threshold. They should also identify any accounts where a failed spray was followed by a successful login, which may indicate a compromised credential. The scope of reviewed systems should include cloud services, on-premises directories, and any federated identity providers, as spraying campaigns may target multiple surfaces.

Common misconceptions

Password spraying triggers account lockouts and is therefore easy to detect through lockout alerts.

Password spraying is specifically designed to stay below account lockout thresholds by attempting each password against many accounts before cycling to the next. In most cases, no individual account reaches the lockout limit, so lockout-based alerting does not fire and the attack proceeds without triggering that control.

Multi-factor authentication fully prevents password spraying from causing harm.

MFA significantly reduces the risk of account compromise from password spraying, but does not prevent the attack itself. Legacy authentication protocols and certain application integrations may allow authentication flows that bypass MFA enforcement, meaning successfully sprayed credentials can still result in unauthorized access in environments where MFA coverage is incomplete.

Password spraying is detectable primarily by monitoring for a high volume of failed login attempts from a single source.

Traditional brute-force detection focused on per-source or per-account failed attempt volume is largely ineffective against password spraying. The attack distributes attempts across many accounts and often across many source addresses, keeping per-account and per-source volumes low. Effective detection typically requires analyzing authentication patterns across the entire user population, looking for distributed low-frequency failures correlated by time, password value, or source infrastructure.

Best practices

Implement MFA broadly across all user-facing authentication surfaces and audit for legacy protocol exceptions or service accounts where MFA is not enforced, as these represent the highest-value targets for spraying attacks.

Configure authentication monitoring to detect population-level anomalies rather than only per-account or per-source thresholds, including alerts for a statistically unusual number of accounts experiencing a single failed authentication attempt within a defined time window.

Disable or restrict legacy authentication protocols (such as basic auth over IMAP, SMTP, or legacy OAuth flows) that may allow credential validation without triggering modern conditional access or MFA policies.

Enforce organization-wide password policies that prohibit commonly sprayed values, including seasonal patterns, default credentials, and passwords appearing in known breach datasets, using a deny-list checked at password creation and reset time.

Conduct regular reviews of externally exposed authentication endpoints, including VPN portals, webmail, and federated identity providers, to ensure consistent security control coverage and to identify surfaces that may be targeted in a spray campaign.

Integrate threat intelligence feeds containing recently leaked credential sets to proactively identify accounts whose current passwords appear in breach data, enabling forced resets before those credentials can be used in a spraying attack.