When hackers plan an attack, they often play the numbers game. You can spend a lot of time searching for a single, expensive target, like in C-Room, and hunting for a spear. Or if they only need low-level access to get a foothold in the organization or to conduct reconnaissance, they focus on a large number of people and spend less time with each of them, which is called password spraying. Last December Sima Kathuria and I described an example of Spear’s first approach to fishing campaigns – they are sharper than you think! Today I want to talk about a large-scale tactic: Password atomizer.

In password spraying attacks, enemies spray passwords on a large number of usernames. When I talk to security experts, I often compare password sprays with brutal force attacks. Brutal force is directed against the target. The hacker follows certain users and searches for as many passwords as possible, using a complete dictionary or a dictionary adapted for normal passwords. An even more targeted attack on password guessing is when a hacker selects and searches a person to see if he can guess the password of a user who knows his last name through messages on social networks, for example. And then try these options against the account to access it. Password spraying is the opposite. EA receives a list of accounts and tries to log in with a small subset of the most popular or most likely passwords. Until they’re hit. This blog describes what your enemies are doing to launch these attacks and how you can reduce the risk to your organization.

Three steps to a successful Password Spray Attack

Step one: Buy a list of usernames

It starts with a list of accounts. It’s easier than it looks. Most organisations have a formal e-mail convention, such as [email protected] This allows opponents to form usernames from the list of employees. If the wrong agent has already compromised the account, he can try to list the usernames against the domain controller. They find or buy usernames online. Data may be collected on previous security breaches, online profiles, etc. The opponent can even have multiple profiles checked for free!

Step two: Spray passwords

Searching for a list of commonly used passwords is even easier. A search by Bing shows that the most common passwords are mentioned in the publications every year. 123456, the password and the number are usually at the top of the list. Wikipedia mentions the first 10,000 passwords. There are regional differences that may be more difficult to discover, but many people use their favorite sports teams, state or company as a password. Seahawks, for example, is a very popular password in the Seattle area. Once the hackers have done their research, they carefully choose the password and try it with the whole list of accounts, as shown in Figure 1. If the attack fails, wait 30 minutes to avoid the timeout and then try the following password.

Protecting your organization from password spray attacks

Figure 1 :  Spread passwords with a single password across multiple accounts.

Step three: Getting access

Finally, one of the passwords works against one of the accounts. And that makes password spraying a popular tactic – hackers only need a successful combination of password + username. As soon as they receive it, they can access any user, for example the cloud resources on OneDrive. Or use a usable account to investigate the target network internally and penetrate deeper into the systems through privilege escalation.

Even if the vast majority of your employees do not use common passwords, there is a risk that hackers will find the passwords they use. The trick is to reduce the number of guessed passwords used in your organization.

Setting Password protection for Azure Active Directory (Azure AD) Password protection

With Azure AD Password Protection, you can easily eliminate guessable passwords and configure the lock settings for your environment. This feature contains a global list of prohibited passwords that Microsoft maintains and updates. You can also block a custom list of passwords for your region or company. Once activated, users will no longer be able to choose a password from one of these lists, which greatly reduces the chance of an opponent guessing the user’s password. You can also use this feature to determine how many login attempts a lock should activate and how long it should take.

Attack model building with Office 365 Advanced Threat Protection (Office 365 ATP)

The ATP Office 365 Attack Simulator allows you to run realistic but simulated phishing and password attack campaigns in your organization. Choose a password and then start a campaign against as many users as you want. You can use the results to determine how many people use this password. Use this data to train users and create a personalized list of forbidden passwords.

Start your journey without passport

The best way to reduce the risk of password spamming is to eliminate passwords completely. Solutions such as Windows Hello or FIDO2 security keys allow users to log in with biometric data and/or a physical key or device. Start by enabling Multifactor Authentication (AMF) in all your accounts. The AMF requires users to login with at least two authentication factors: something they know (e.g. a password or PIN), something they are (e.g. biometrics), and/or something they have (e.g. a trusted device).

Read more

We are making progress in cyber security, increasing the cost of an attack to the enemy. If we make guessing passwords too complicated, hackers will reduce their reliance on password spraying.

Subscribe to the Security Blog to stay up to date with our expert reports on security issues. Follow us at @MSFTSecurity for the latest cyber security news and updates. For more information about our security solutions, please visit our website. Or contact me via LinkedIn or Twitter.password spraying attack,password spraying wiki