Blog Post

Microsoft Entra Blog
3 MIN READ

Advancing Password Spray Attack Detection

Alex Weinert's avatar
Alex Weinert
Icon for Microsoft rankMicrosoft
Oct 26, 2020

Hey folks,

In this blog, I am going to tell you about an amazing addition to our family of credential compromise detection capabilities – this one uses our machine learning technology and global signal to create incredibly accurate detection of a nuanced attack called “password spray.” This is a great example of where worldwide, multi-tenant detection combines with rapidly evolving detection technology to keep you safe from this very common attack.

Understanding Password Spray


Password spray is one of the most popular attacks, accounting for more than a third of account compromise in organizations. In these attacks, bad actors try a few common passwords against many accounts from different organizations. Instead of trying many passwords against one user, they try to defeat lockout and detection by trying many users against one password. Effective forms of this attack are "low and slow,” where the bad actor uses thousands of IP addresses (such as from a botnet) to attack many tenants with a few common passwords. From any one tenant’s view, there are so few login attempts with such poor consistency that the attack is undetectable. A customer might only see one or two failed logins happen from these types of attacks once a day, so the attacks get lost in the noise of normal login patterns. They also bypass traditional protection like password lockout and malicious IP blocking. Password spray attacks have a 1 percent success rate for accounts (unless they use password protection - please use it!).

It is only when we look across the tenants around the world and evaluate the complete picture of logins that we can reliably detect the patterns. The following chart shows a password spray attack that was observed on our system:

 

Each color tracks a different password hash for login attempts with incorrect passwords in Azure Active Directory (Azure AD). Looking across millions of tenants, we can see the pattern of a password spray attack. Normally the graph would be flat and evenly dispersed as you see on the left side. The huge elevation of a single hash failing across many accounts indicates a single password being attempted against hundreds of thousands of usernames from many tenants—a password spray attack in progress. This lens extends our detections beyond traffic from a set of IP addresses (a few of these attacks have originated from millions of IP addresses) and instead correlates the patterns of authentications the bad actors are attempting.

The Evolution of Password Spray Detection


To detect password sprays, we built a heuristic detection using the approach previously described.  It worked great - by looking at the core failure in the system in our worldwide traffic we were able to notify tenants of hundreds of thousands of attacks monthly (increased user risk) so they could protect their organizations.

 

But we weren’t satisfied. So our data scientists started researching the use of these patterns and additional data to train a new supervised machine learning system incorporating IP reputation, unfamiliar sign-in properties, and other deviations in account behavior. The results of this research led to this month’s release of the new password spray risk detection. This new machine learning detection yields a 100 percent increase in recall over the heuristic algorithm described above meaning it detects twice the number of compromised accounts of the previous algorithm. It does this while maintaining the previous algorithm’s amazing 98 percent precision—meaning if this algorithm says an account fell to password spray, it’s almost certain that it did.

Azure AD Identity Protection customers will see this new risk detection in the portal and APIs for Identity Protection. The following screenshot provides a sample of the new risk detection:

 

This new password spray detection is a great example of how we use intelligence gained across Microsoft’s identity systems to continuously expand and improve our protections—which you can use to automate processes in Azure AD Conditional Access, in Azure Sentinel, or through the APIs for anything you can imagine. For more information about other risk detections and how you can enable Identity Protection in your own organization, see the article, “What is Identity Protection?”. The team is committed to exploring and creating new and innovative approaches to protect our customers. I look forward to detailing these new protection systems for you in the future.

Stay safe out there!

 

-Alex (@alex_t_weinert)

Updated Oct 26, 2020
Version 4.0
  • John_Joyner's avatar
    John_Joyner
    Brass Contributor

    Hi Alex, this is a great new detection, we are seeing this alert in production customer subscriptions. We have pointed out guidance like this to customers: https://www.microsoft.com/security/blog/2020/04/23/protecting-organization-password-spray-attacks/. Other than a constant reminder of the threat faced without complex passwords and MFA, is there anything actionable for our customers when this detection fires? Our current SOC protocol is to share this alert with customers a few times along with reminders to verify password and MFA policies, then suppress alerting notifications to reduce alert fatigue. If there is a better way to triage or mitigate this incident please let us know. Thanks, John

  • HansAndrzenCZ's avatar
    HansAndrzenCZ
    Copper Contributor

    well, when password spray is used and finds the password -> the MFA triggers -> attacker knows, that the User/password combination is correct. 
    then next step is done. MFA bombing the user with MFA requests. And the user could act as expected: I have so many apps, that triggers the MFA prompt, so even thou I am not aware of actual sign in interactive request, some app is authenticating on background, so I confirm the MFA. and attacker is inside. 🤔