Security Experts:

Connect with us

Hi, what are you looking for?


Cloud Security

Microsoft Introduces New Password Spray Detection for Azure

Microsoft this week announced the availability of a new password spray detection for Azure AD Identity Protection customers.

Microsoft this week announced the availability of a new password spray detection for Azure AD Identity Protection customers.

Password spraying represents one of the most common forms of attack, where threat actors attempt to breach organizations by trying common passwords against multiple accounts. According to Microsoft, one-third of account compromises are the result of such an attack.

“Instead of trying many passwords against one user, they try to defeat lockout and detection by trying many users against one password. Effective forms of this attack are ‘low and slow,’ where the bad actor uses thousands of IP addresses (such as from a botnet) to attack many tenants with a few common passwords,” the tech giant explains.

With one or two attempts per day, which fall within the normal login patterns, such attacks typically go undetected and traditional protections such as password lockout and IP blocking are bypassed too.

According to Microsoft, password spray attacks yield a 1% success rate, but only if the targeted accounts don’t use password protection.

A look at such attacks across Azure Active Directory (AD) tenants around the world can reveal the patterns of a password spray: the attempts that use the same password generate the same hash, making them traceable.

“The huge elevation of a single hash failing across many accounts indicates a single password being attempted against hundreds of thousands of usernames from many tenants—a password spray attack in progress,” Microsoft explains.

Using this approach, the tech company came up with a heuristic detection for password spray, which allowed it to warn tenants “of hundreds of thousands of attacks monthly.” Based on this, the company built a new tool for password spray risk detection.

The new detection can identify twice as many compromised accounts compared to the previous heuristic algorithm, but maintains a 98% precision. The new risk detection is being introduced in the Azure AD Identity Protection portal and APIs for Identity Protection.

Related: Failures in Cybersecurity Fundamentals Still Primary Cause of Compromise: Report

Related: Russian Military Hackers Targeted Credentials at Hundreds of Organizations in US, UK

Related: Microsoft Combats Bad Passwords With New Azure Tools

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Cloud Security

Cloud Disaster Recovery - Ingredients for a Recipe that Saves Money and Offers a Safe, More Secure Situation with Greater Accessibility