Password Spraying: What To Do And How To Prevent Attacks For Your Organization

March 1, 2022

Note: For a deeper dive into password spraying, check out the original post on Depth Security’s blog.

Password spraying, huh? What do these two seemingly unconnected words have to do with each other, and more importantly with you? Well it’s no secret that cyberattacks are a worry for all businesses, with IDC predicting that one-third of SMBs will experience a security breach every quarter by 2024. And one of the ways attackers look to gain their initial foothold on networks is by gaining authenticated access to poorly protected accounts.

You guessed it. This is often accomplished by “spraying” or guessing common passwords against user accounts. In fact, a recent post by Microsoft’s Detection and Response Team (DART) indicates that attackers are increasingly relying on password spraying to gain an “initial foothold” on victim networks.

How this approach is being used by attackers

Historically, password spraying attacks have been most effective when they are performed using a “low and slow” approach where few passwords are tried for many user accounts. Launching even the most basic password spraying attack takes careful planning for it to be effective. The first step is usually building a list of target user accounts, which is usually comprised of common first and last names joined in predictable formats.

Once a list of target users is identified, a list of passwords (or a single password) is usually selected from credentials leaked in public data breaches. According to NordPass’ 2020 analysis of public breach data containing over 275 million passwords, the top 200 worst passwords include “123456”, “password”, and “welcome”. Attackers often use these bad passwords in their initial password list, and later augment it with company-specific passwords like “CompanyName123”, or seasonal passwords like “Fall2021!” As a side note: it’s astonishing how often we see user accounts configured with seasonal passwords or default passwords. This is why we recommend that security administrators consider configuring Azure Active Directory (AD) with a custom list of banned passwords to restrict users from using these weak passwords.

How to prevent it

The risks associated with a password spraying attack depend on who within your organization had their account breached, and what level of access their account has. If the compromised account belongs to an employee outside of the IT realm, it is likely that an attacker will have a more difficult time using their access to spread throughout the network. But if that account belongs to a system administrator or a user with privileged access to internal resources, the attacker could steal business-critical information or compromise the entire network.

While there is no silver bullet to prevent password spraying, enforcing multifactor authentication (MFA) on all user accounts is an effective mitigation that prevents unauthorized access should the credentials to an account be compromised. MFA uses an additional factor of authentication to verify a user’s identity – beyond their username and password. This means that if someone in your organization uses an obvious password to secure their account, unauthorized access would be prevented as the cybercriminal cannot get through the second layer of authentication (which is often a random PIN or push notification sent to a mobile device).

There are also other mitigations that make password spraying less effective for an attacker. Organizations can configure external applications and perimeter systems to monitor for recurring authentication attempts and block access to offenders who are password spraying. Some rate limiting controls can be an effective mitigation that may slow down password spraying attacks.

A new approach

So far in this post we’ve discussed how a password spraying attack is prepared, and some ways it may be prevented, but we haven’t discussed how we can use this knowledge to effectively execute a password spraying operation on our own. And while that may feel counterintuitive, regularly searching for weak credentials is key to identifying ways your Active Directory network may be remotely compromised.

Why? Well, a password spraying attack is one of the most useful items in a penetration tester’s toolbox. This technique is used in nearly all external and internal network penetration tests we (Depth Security, a Konica Minolta company focusing on penetration testing) perform. We even developed an open source tool that uses some novel techniques to conduct more effective password spraying attacks against Microsoft Office 365 and Azure authentication endpoints.

Built with Python 3 using the Microsoft Authentication Library, Spray365 helps penetration testers and network defenders alike run effective password spraying operations. Spray365 is highly configurable, and its two-step password spraying approach allows for predictable and resilient password spraying not found in other spraying tools available today. An “execution plan”, or predetermined list of accounts to target in a later attack can be built using Spray365’s “generate” mode. Once an execution plan is created, Spray365’s “spray” mode can be used to conduct a password spraying attack. Both these modes accept optional parameters that can improve the performance and reliability of password spraying attacks.

With these options in mind, feel free to give Spray365 a try! Before password spraying, remember that attacking targets without mutual consent is illegal, and may violate terms of service agreements or acceptable use policies. It is the end user’s responsibility to make sure they are not violating any laws or agreements. And if you’d much rather leave it in the hands of the experts, you can contact or visit our website for more information.

Mark Hedrick
Senior Offensive Security Consultant with Depth Security, a Konica Minolta Service