What is password spraying?

Password spraying attacks are performed using publicly available automated tools and large password databases compiled from a series of breaches. The largest databases contain billions of COMB (combination of many breaches) records, from which attackers can select the most popular ones to use in password spraying.

Password spraying is difficult to detect if alerts are not set up to explicitly look for it.

Known as the “low-and-slow” technique, password spraying is specifically designed to avoid tripping the most common login protections that focus on throttling attempts on a single account, such as login time-outs after too many failed attempts. By spreading the attack to multiple usernames and trying each username-password pair only once, attackers can avoid detection for extended periods.

Password spraying is particularly successful against applications or devices with a default password. When performed en-masse, the attack can find those accounts that haven’t changed their password, allowing attackers to gain access.

This attack can also be successful if performed with a small number of very popular passwords. Since the most popular 25 passwords make up around 10 percent of passwords, with the most popular having around 4 percent frequency, large organizations can quickly fall for such attacks if not properly protected.

Typically, management services over commonly used ports are used when password spraying. According to MITRE.org, the commonly targeted services include the following:

• SSH (22/TCP)
• Telnet (23/TCP)
• FTP (21/TCP)
• NetBIOS / SMB / Samba (139/TCP & 445/TCP)
• LDAP (389/TCP)
• Kerberos (88/TCP)
• RDP / Terminal Services (3389/TCP)
• HTTP/HTTP Management Services (80/TCP & 443/TCP)
• MSSQL (1433/TCP)
• Oracle (1521/TCP)
• MySQL (3306/TCP
• VNC (5900/TCP)

In addition to these services, attackers may target single sign-on (SSO) and cloud applications using login federation according to CISA. “An actor may target this specific protocol because federated authentication can help mask malicious traffic. Additionally, by targeting SSO applications, malicious actors hope to maximize access to intellectual property during a successful compromise,” adds the agency.

The original set of usernames is typically collected through social engineering tactics and basic online research (Google, LinkedIn, etc.). After an account is compromised, downloading the Global Address List (GAL) will allow attackers to perform the attack against the complete list of user accounts.

Some indicators of an ongoing password spraying attack enumerated by CISA:

• Large spike in attempted logins against an enterprise SSO or web-based application.
• Employee logins from locations inconsistent with the usual locations.
• Failed logins from non-existent or inactive accounts.

Considering how relatively unsophisticated password spraying attacks are, there are a multitude of possible effective mitigations

1. Multi-factor authentication
   Multi-factor authentication (MFA) is incredibly effective against password spraying and credential stuffing attacks. By requiring another factor besides the password to grant access to corporate resources, MFA makes ‘guessing’ the password worthless on its own.
   
2. Passwordless authentication
   Passwordless authentication eliminates passwords altogether and instead uses a variety of other factors to successfully authenticate each user. These factors could be a pre-registered mobile device, a biometric factor or verifying ownership of an email inbox using a magic link.
   
3. NIST password guidelines
   In recent years, there has been a silent revolution around passwords. The new NIST password guidelines, for example, don’t recommend expiring passwords anymore. Instead, they recommend using longer (and less complex) passphrases and checking passwords against leaked lists of breached passwords.
   
4. Privileged access management (PAM)
   Critical systems and privileged user accounts should enjoy additional protection. Modern PAM tools like One Identity Safeguard allow for single-use passwords, where passwords are reset and a new random password is generated after each use. This greatly reduces the effect of password spraying, as well as the risk posed by recently stolen passwords (for example, through a keylogger), making them useless to attackers.
   
5. Blocking obfuscated traffic
   Attackers typically try to hide their trails by obfuscating/anonymizing their IP addresses using services like TOR or residential proxies. These can fake a location close to the organization under attack, thus bypassing geolocation-based security rules. By blocking these services at the network level, organizations can provide a degree of protection against password spraying.
   
6. Disable orphan accounts
   Accounts that fall out of use for any reason are a particularly strong target for such attacks. Maybe they still have the default password or maybe they don’t have MFA enrolled, thus lacking in protection compared to the corporate baseline. With proper IAM tooling, organizations can discover such accounts and safely disable them before they become dangerous.

Credential stuffing and password praying are both automated, brute force attacks that target logins. However, credential stuffing differs in method and requires a different set of mitigations compared to password spraying.

In a credential stuffing attack, a single or a handful of login IDs are targeted with a set of probable passwords – either stolen, from COMBs or just from popular password lists. If we described password spraying as “low-and-slow," credential stuffing is more like “high-and-fast." This approach, if not well-targeted, trips the alarms in any access control system and triggers lock-out for the targeted accounts. Credential stuffing is particularly dangerous if it operates with recently-stolen valid credentials, as organizations often overlook successful login events.

While password spraying attacks have a long history, the first major wave occurred around 2018. In 2024, another major wave emerged, causing Cisco and Okta to issue warnings to customers about the ongoing attacks.

Microsoft/Midnight Blizzard: In January 2024, Microsoft detected a nation-state attack against their corporate systems. The later investigation confirmed that the initial access was gained through a password spray, against a legacy, non-production test tenant account that did not have multi-factor authentication enabled. The initial access was used in an attack culminating in stealing some Microsoft email messages and a leak of Microsoft source code.

Russian GRU campaign (2021): Starting in 2019 and continuing into 2021, Russian agencies conducted a widespread brute-force hacking campaign targeting government and military organizations, party organizations, energy companies, logistics companies, law firms, media companies and a variety of other entities. Several of these attempts were successful, though their effects remain undisclosed.

Bad Rabbit ransomware: Around 2017, mass attacks using the Bad Rabbit ransomware kit targeted organizations and customers, mostly in Russia and Ukraine. The ransomware kit included a built-in password spraying tool designed to brute-force Windows machines on the network.