Password spray attacks are a popular means of trying to gain access to user accounts and they make up one-third of account compromise in organizations. Instead of using many passwords against one user account, which would trigger account lockout quickly, password spray attacks use a few common passwords against many user accounts across numerous organizations. To be successful, malicious actors take the ‘low and slow’ approach from thousands of different IP addresses to launch an attack against many companies at the same time.
Going low and slow ensures that attackers are unlikely to create suspicion. Because there aren’t enough logon failures to trigger account lockouts or other alerts that might be in place. The low number of account logon failures get lost in the noise of normal login patterns. On accounts not protected by Azure Active Directory Password Protection, password spray attacks have a 1 percent success rate.
Due to the sheer volume of data that Microsoft collects from Azure AD tenants, it is now able to reliably detect patterns and alert organizations to password spray attacks. Microsoft can detect when a single password hash is being used for failed login attempts, indicating a single password is being used for hundreds of thousands of accounts across many Azure AD tenants.
Using the approach described above, Microsoft developed a heuristic detection that is used to notify tenants of hundreds of thousands of attacks every month via increased user risk alerts. But Microsoft decided to improve detection further with a new supervised machine learning system. The improved detection includes IP reputation, unfamiliar sign-in properties, and other behavior anomalies in account behavior.
The new machine-learning backed detection spots twice the number of compromised accounts when compared to the previous model. The model is also 98 percent accurate, the same level of precision provided by heuristic detection.
As it stands today, you need to be using Azure AD Identity Protection to benefit from the machine-learning password spray attack detection model. The new risk detection is available in the APIs and portal for Identity Protection. Azure AD security protections can be used to automate processes in Azure AD Conditional Access, Azure Sentinel, or using the APIs to connect any system you like.
Azure AD Identity Protection comes free with an Azure AD Premium P2 license. Tenants with Azure AD Free, Microsoft 365 Apps, or Azure AD Premium P1 licenses get limited information on risky users and risky sign-ins in security reports.
Microsoft would prefer that you didn’t use passwords at all. It has been pushing the use of passwordless sign-in for several years now. For more information on passwordless sign in, check out How to Set Up Passwordless Sign-in Using the Microsoft Authenticator App for Microsoft 365 and Understanding Windows 10 and Microsoft 365 Passwordless Sign-In on Petri.
Azure AD Password Protection uses a default global banned password list to prevent users setting weak passwords, like Password1234. Companies can also create their own custom banned password lists in addition to using a default global list. Azure AD Password Protection can also be used in hybrid scenarios to protect on-premises Windows Server Active Directory accounts.
But if you can’t go passwordless, then multifactor authentication virtually eliminates the risk of using passwords. Multifactor authentication requires users to confirm their identity not only using their password, but also something they have, like a mobile phone or FIDO2 security key. At the very least, organizations should protect accounts with privileged access to Azure AD using multifactor authentication.