Understanding alert Password Spray in MCAS with details

%3CLINGO-SUB%20id%3D%22lingo-sub-2388467%22%20slang%3D%22en-US%22%3EUnderstanding%20alert%20Password%20Spray%20in%20MCAS%20with%20details%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2388467%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%20we%20are%20facing%20alert%20in%20our%20MCAS%20%22Risky%20sign-in%3A%20password%20spray%22.%20There%20is%20one%20activity%20associated%20with%20that%20after%20clicking%20on%20this%20alert%3A%3CBR%20%2F%3E%3CSTRONG%3EDescription%3A%3C%2FSTRONG%3E%20Failed%20log%20on%20(Failure%20message%3A%20Strong%20authentication%20is%20required.)%3CBR%20%2F%3E%3CSTRONG%3EType%3A%3C%2FSTRONG%3E%20(in%20app)%3A%20Login%3Alogin%3CBR%20%2F%3E%3CSTRONG%3EUser%3A%3C%2FSTRONG%3E%20(our%20user)%3CBR%20%2F%3E%3CSTRONG%3EIP%20address%3A%3C%2FSTRONG%3E%20some%20remote%20IP%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EI%20have%20readed%20about%20this%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory-identity%2Fadvancing-password-spray-attack-detection%2Fba-p%2F1276936%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory-identity%2Fadvancing-password-spray-attack-detection%2Fba-p%2F1276936%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EBut%20my%20question%20is%20what%20it%20means%20in%20details%3F%26nbsp%3B%3CBR%20%2F%3E-%20Our%20user%20from%20activity%20performed%20spray%20attack%3F%3CBR%20%2F%3E-%20IP%20address%20from%20activity%20alert%20performed%20spray%20attack%3F%3CBR%20%2F%3E-%20Our%20user%20was%20hitted%20by%20spray%20attack%20came%20from%20IP%20address%20from%20activity%20alert%3F%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EBasically%20looking%20for%20way%20of%20investigation%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2388467%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2425252%22%20slang%3D%22en-US%22%3ERe%3A%20Understanding%20alert%20Password%20Spray%20in%20MCAS%20with%20details%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2425252%22%20slang%3D%22en-US%22%3E%3CP%3EHello%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1063961%22%20target%3D%22_blank%22%3E%40Rberlinski%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20are%20looking%20for%20a%20guide%20on%20how%20to%20investigate%20MCAS%20alerts%20and%20especially%20the%20%22Multiple%20failed%20logins%22%20type%20of%20alert%20this%20might%20be%20helpful%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Finvestigate-anomaly-alerts%23credential-access-alerts%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ECloud%20App%20Security%20anomaly%20detection%20alerts%20investigation%20guide%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20%3CSPAN%3Eprovides%3A%20%22%3CEM%3Egeneral%20and%20practical%20information%20on%20each%20alert%2C%20to%20help%20with%20your%20investigation%20and%20remediation%20tasks%22%3C%2FEM%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hello, we are facing alert in our MCAS "Risky sign-in: password spray". There is one activity associated with that after clicking on this alert:
Description: Failed log on (Failure message: Strong authentication is required.)
Type: (in app): Login:login
User: (our user)
IP address: some remote IP


I have readed about this here: https://techcommunity.microsoft.com/t5/azure-active-directory-identity/advancing-password-spray-atta...


But my question is what it means in details? 
- Our user from activity performed spray attack?
- IP address from activity alert performed spray attack?
- Our user was hitted by spray attack came from IP address from activity alert?


Basically looking for way of investigation this.

2 Replies

Hello @Rberlinski ,

 

If you are looking for a guide on how to investigate MCAS alerts and especially the "Multiple failed logins" type of alert this might be helpful:

Cloud App Security anomaly detection alerts investigation guide | Microsoft Docs

 

It provides: "general and practical information on each alert, to help with your investigation and remediation tasks"

 

 

Thanks but this is far away what I expected. After short call with MS "password spray" alert more or less means that user used password which is flagged as common during this attack based on MS experience. My case is still open, I will let you know when grab some additional details.