Hunting for Low and Slow Password Sprays Using Machine Learning (ML Deep Dive) (microsoft.com)
Microsoft’s threat intelligence teams are observing increasing use of password sprays as an attack vector. As sign-in protections have improved, the “low and slow” variant, has become more common; in many instances performing a password spray attack very slowly is necessary to prevent account lockout or detection. Tools to perform low and slow sprays are also more readily available in open source, the majority of which can be configured to make use of free or paid proxy services, further amplifying the issue.
We have just released a new guided hunting notebook for Microsoft Sentinel which leverages machine learning to tackle the difficult problem of detecting low and slow password spray campaigns (This augments more broad-scoped password spray detection already provided via Microsoft’s Azure AD Identity Protection Integration for Sentinel – see Advancing Password Spray Attack Detection - Microsoft Tech Community.)