Forum Discussion
Jeroen_van_der_Broek
Feb 27, 2023Copper Contributor
Suspected brute-force attack and None of the passwords attempted where previously used passwords
Suspected brute-force attack (Kerberos, NTLM) and None of the passwords attempted where previously used passwords.
This makes me wonder. It knows it is a password that was not used before. But did the account try to login 100x times with this password or did it do 100x times a try with 100 passwords that where not used before.
If it is the 100 tries with just 1 never used password it is possible just someone who made a typo in a script (password) for example.
If it was 100 different password it is a much bigger issue.
I can not find this the documentation how i should read this. I am also not aware if there is a option to figure this out (kusto query for example).
Anyone a idea?
- SruthyyCopper ContributorHi,
For better clarity, you need to investigate more on various possible indicators of impacted user account. In a recent update, Microsoft is rolling out a new alert for detecting password spray attacks. Utilize the below blog to identify what indicators should be monitored and how to defend against such attacks.
https://blog.admindroid.com/password-spray-attack-detection-with-new-microsoft-365-defender-alert/ - Matthias_VDBIron ContributorHi,
Seems logic this is 100 attempts with 100 different passwords.
If it was 100 times the same password against the same account, this is probably not considered a brute-force attack... This wouldn't make any sense... If the password doesn't work the first time, no attacker will try the same password 99 times more on the same account.
If it would be a password-spray attack, then an attacker might use the same password against 100 accounts.
Your message also says: "none of the passwordS"...
So it is fair to assume we are talking about a real brute-force attack where an attacker is trying 100 different passwords against the same account.- Jeroen_van_der_BroekCopper ContributorI would indeed asume this based on the message/event. But then again it does not know if you try different passwords only that it is different than old known passwords. I am sure this acount is not under bruteforce attack.
- Matthias_VDBIron Contributor
Sure is worth investigating
So, I guess this one you already figured out it was a script, or similar, using the wrong password... which for an AI system looks like a brute force attack...
So, this one is benign positive thenGuess "Suspected" is key in this case....
Microsoft Defender for Identity security alert guide - Microsoft Defender for Identity | Microsoft Learn
Microsoft Defender for Identity compromised credentials phase security alerts - Microsoft Defender for Identity | Microsoft LearnSo, it is based on authentication attempts... but i guess it doesn't compare the hashes. But then again, how would it detect a password spray, or know the password wasn't used.
Probably the underlaying detection algorithms will not be shared for security reasons. So lets just go with what we know:
Get an alert, investigate