Advancing Password Spray Attack Detection

Hey folks,

In this blog, I am going to tell you about an amazing addition to our family of credential compromise detection capabilities – this one uses our technology and global signal to create incredibly accurate detection of a nuanced attack called “password spray.” This is a great example of where worldwide, multi-tenant detection combines with rapidly evolving detection technology to keep you safe from this very common attack.

Understanding Password Spray

Password spray is one of the most popular attacks, accounting for more than a third of account compromise in organizations. In these attacks, bad actors try a few common passwords against many accounts from different organizations. Instead of trying many passwords against one user, they try to defeat lockout and detection by trying many users against one password. Effective forms of this attack are “low and slow,” where the bad actor uses thousands of IP addresses (such as from a botnet) to attack many tenants with a few common passwords. From any one tenant's view, there are so few login attempts with such poor consistency that the attack is undetectable. A customer might only see one or two failed logins happen from these types of attacks once a day, so the attacks get lost in the noise of normal login patterns. They also bypass traditional protection like password lockout and malicious IP blocking. Password spray attacks have a 1 percent success rate for accounts (unless they use password protection – please use it!).

It is only when we look across the tenants around the world and evaluate the complete picture of logins that we can reliably detect the patterns. The following chart shows a password spray attack that was observed on our system:


Each color tracks a different password hash for login attempts with incorrect passwords in Azure (). Looking across millions of tenants, we can see the pattern of a password spray attack. Normally the graph would be flat and evenly dispersed as you see on the left side. The huge elevation of a single hash failing across many accounts indicates a single password being attempted against hundreds of thousands of usernames from many tenants—a password spray attack in progress. This lens extends our detections beyond traffic from a set of IP addresses (a few of these attacks have originated from millions of IP addresses) and instead correlates the patterns of the bad actors are attempting.

The Evolution of Password Spray Detection

To detect password sprays, we built a heuristic detection using the approach previously described.  It worked great – by looking at the core failure in the system in our worldwide traffic we were able to notify tenants of hundreds of thousands of attacks monthly (increased user risk) so they could protect their organizations.

But we weren't satisfied. So our data scientists started researching the use of these patterns and additional data to train a new supervised system incorporating IP reputation, unfamiliar sign-in properties, and other deviations in account behavior. The results of this research led to this month's release of the new password spray risk detection. This new detection yields a 100 percent increase in recall over the heuristic algorithm described above meaning it detects twice the number of compromised accounts of the previous algorithm. It does this while maintaining the previous algorithm's amazing 98 percent precision—meaning if this algorithm says an account fell to password spray, it's almost certain that it did.

Identity Protection customers will see this new risk detection in the portal and APIs for Identity Protection. The following screenshot provides a sample of the new risk detection:


This new password spray detection is a great example of how we use intelligence gained across Microsoft's identity systems to continuously expand and improve our protections—which you can use to automate processes in Azure AD Conditional Access, in Azure Sentinel, or through the APIs for anything you can imagine. For more information about other risk detections and how you can enable Identity Protection in your own organization, see the article, “What is Identity Protection?”. The team is committed to exploring and creating new and innovative approaches to protect our customers. I look forward to detailing these new protection systems for you in the future.

Stay safe out there!

-Alex (@alex_t_weinert)


This article was originally published by Microsoft's Core Infrastructure and Security Blog. You can find the original article here.