Microsoft Sentinel Now Lets IT Admins Detect Low and Slow Password Spray Attacks

Rabia Noureen

Aug 15, 2022

Microsoft has released a new guided hunting notebook for its Microsoft Sentinel solution. The notebook enables organizations to leverage machine learning to detect, investigate as well as block low and slow password spray campaigns.

Password spraying is a type of brute force attack that allows malicious actors to gain unauthorized access to computer systems. Hackers use a dictionary of commonly used passwords to log in to a large number of user accounts within an organization.

Microsoft explains that many businesses use modern security mechanisms to block traditional password spraying attacks. It is one of the reasons that state-sponsored attacks have switched to low and slow techniques to prevent account lockouts. They use open source tools to automate these attacks and free or paid proxy services to avoid detection.

“Low and slow sprays are a variant on traditional password spray attacks that are being increasingly used by sophisticated adversaries such as NOBELIUM, STRONTIUM and HOLMIUM. These adversaries can randomize client fields between each sign in attempt, including IP addresses, user agents and client application,” Microsoft’s threat intelligence team explained.

Microsoft Sentinel uses ML to identify potential password spray attempts

The new Microsoft Sentinel notebook uses data analytics and machine learning techniques to hunt low and slow password spray attacks. It lets IT admins detect and cluster anomalous fields for each failed sign-in attempt and analyze them to find invariant properties. Lastly, Sentinel incidents are created based on the results and sent for further investigation and response.

To get started, Microsoft Sentinel customers can access and run the guided hunting notebook by heading to the “Templates” tab in the Notebooks blade. Once a password spray campaign is detected, IT admins will need to follow the process detailed on this support page to mitigate risks and protect sensitive information in enterprise networks.