Attack Techniques
What Is Password Spraying?
Password spraying is a low-noise brute-force attack in which adversaries distribute password guessing attempts across many user accounts using a small set of common, default, or leaked passwords, rather than attempting multiple passwords against a single account.
Password spraying is a low-noise brute-force attack in which adversaries distribute password guessing attempts across many user accounts using a small set of common, default, or leaked passwords, rather than attempting multiple passwords against a single account. The technique is engineered to evade traditional account lockout defenses and remain below detection thresholds by rotating targets and throttling attempts over time. It is particularly effective against cloud services, SSO portals, and remote access platforms where defenders struggle to correlate distributed authentication failures.
How does password spraying work?
Password spraying operates by inverting the traditional brute-force model, distributing attacks across many accounts instead of concentrating attempts on a single target.
Attack process
The attacker obtains a list of valid usernames such as email addresses or domain accounts via directory enumeration, public sources, or previous breach data. The attacker selects a small set of common or weak passwords including default credentials like "password123," "Welcome1," or "Admin123," commonly leaked passwords from breach databases, or contextual passwords incorporating company name, season, or year.
The attacker distributes login attempts across many accounts, throttling attempts to avoid lockout triggers. This may involve one password per account spread over hours or days, multiple passwords (3 to 5) per account spread over weeks, or rotation across multiple authentication endpoints including O365, Okta, VPN, and others. Successful authentication grants account access, and compromised accounts are used for data theft, lateral movement, or ransomware deployment.
Why it evades detection
Individual accounts see only 1 failed attempt every 24 hours, which looks normal. Aggregate obfuscation occurs because failures are distributed across thousands of accounts, and correlation requires log aggregation. Throttling prevents cumulative failure counts that trigger account locks. Rotating across O365, Okta, VPN, and on-premises AD diffuses detection signals. Modern campaigns integrate CAPTCHA solvers and proxy infrastructure to bypass geofencing according to CrowdStrike's 2025 and Brandefense's 2025 guidance.
Attack volume
Microsoft 365 experiences 4,000-plus password attack attempts per second according to 2024 Microsoft data. Brute force attacks including spraying are the number one initial infection vector for ransomware at 26%, ahead of stolen credentials according to Mandiant M-Trends 2025. Out of 1 million-plus unauthorized login attempts observed in 2024, most were password spraying targeting accounts lacking MFA according to Microsoft Digital Defense Report 2025.
How does password spraying differ from other attacks?
Aspect | Password Spraying | Brute Force (Single Account) | Credential Stuffing | Credential Harvesting |
|---|---|---|---|---|
Password source | Common/guessed | Guessed | Harvested/stolen | Stolen at mass scale |
Target scope | Many accounts (1000s) | Single/few accounts | Many accounts (1000s) | Collection phase |
Attempts per target | Few (1–5) | Many (100s–1000s) | 1 (validated) | N/A |
Detection difficulty | Very hard—distributed | Easy—concentrated attempts | Medium—traffic patterns | Hard—stealthy malware |
Lockout evasion | Yes—throttled | No—triggers lockout | No—but irrelevant if successful | N/A |
MFA bypass | No—blocked by MFA | No—blocked by MFA | Possible with session cookies | N/A |
Primary targets | Accounts without MFA | Legacy systems | Any system | Any system with users |
Timeline | Days to weeks | Hours to minutes | Minutes to hours | Ongoing |
Ideal for | Evading lockout policies; finding unprotected accounts in partially-MFA environments | Targeted attacks on specific high-value accounts when lockout thresholds are high | Leveraging previously-breached credentials at scale | Initial reconnaissance and credential collection for subsequent attacks |
Password spraying requires no prior credential knowledge—only usernames and guesses. Credential stuffing requires pre-harvested credentials. Spraying is slower but harder to detect, while stuffing is faster but easier to block with MFA according to CrowdStrike's 2025 and Brandefense's 2025 guidance.
Why does password spraying matter?
Password spraying has emerged as a dominant ransomware initial access vector and a persistent threat to organizations with partial MFA adoption.
Prevalence and threat ranking
Brute force attacks including spraying were the number one ransomware initial vector at 26% in 2024, ahead of stolen credentials at 18% and exploits at 12% according to Mandiant M-Trends 2025. Microsoft 365 sees 4,000-plus password attack attempts per second according to 2024 baseline. Over 90% of 15.9 billion account creation requests in H1 2025 were from bots, with Microsoft blocking nearly 2 million fake signup attempts per hour according to Microsoft in 2025.
MFA adoption gap driving risk
Password spraying campaigns in 2024 "primarily targeted accounts not properly secured by multi-factor authentication" according to Microsoft Digital Defense Report 2025. Organizations with partial MFA adoption are prioritized targets—attackers spray until they find unprotected accounts, then pivot according to Rapid7 in 2025.
Cloud services under siege
Password spraying has escalated against cloud authentication platforms including Microsoft Entra and Okta and VPN gateways as enterprise remote work adoption increases according to CrowdStrike in 2025. NetScaler/Citrix reported organized password spraying campaigns in December 2024 targeting their VPN appliances according to Citrix Blog in 2024. Attackers have adapted tooling to integrate CAPTCHA solvers and proxy rotation to bypass geofencing and rate-limiting defenses according to CrowdStrike's 2025 and Brandefense's 2025 guidance.
Cost and impact
Successful spraying campaigns lead to ransomware deployment, lateral movement, and data exfiltration—average ransomware cost exceeds $5 million-plus per incident according to Mandiant in 2025.
What are the limitations of password spraying?
Strong technical defenses are highly effective
Multi-factor authentication completely blocks password spraying because attackers cannot leverage guessed passwords if MFA is enabled. Organizations with MFA on all accounts eliminate this attack vector entirely according to Microsoft in 2025. Account lockout policies—even modest thresholds such as 5 failed attempts per 15 minutes—force attackers to throttle dramatically, extending attack timelines from hours to weeks. Passwordless authentication including FIDO2, passkeys, and Windows Hello eliminate password guessing entirely according to Frontegg in 2025.
Detection capabilities exist
Log aggregation and behavioral analytics monitoring for distributed authentication failures across user accounts in time windows reveals patterns invisible at the per-account level. SIEM rules can query for "N accounts with M failed attempts in T seconds" to detect spraying before success. Threat intelligence including known common passwords and leaked password lists enables preemptive blocking of high-probability attack attempts such as NIST banned password lists and Azure AD Smart Lockout.
Attack constraints
The throttling requirement to avoid detection extends attack timeline from hours to weeks, creating operational overhead and increasing exposure to detection. The attack requires valid username list, and enumeration against modern systems including Office 365 and Okta is increasingly difficult due to directory hardening. Randomization of common passwords dilutes effectiveness because attackers are limited to highly popular guesses that will work across password policies. Conditional access policies including device compliance and location restrictions add friction beyond simple password plus MFA.
Bot and proxy detection
CAPTCHA solvers can be detected through fingerprinting and timing analysis. Proxy and VPN rotation creates detectable patterns in geolocation and ASN changes across login attempts. Modern WAF and identity platforms track impossible travel such as login from different continents within seconds.
How can organizations defend against password spraying?
User and individual-level defenses
Enable MFA by activating MFA on all personal and work accounts, prioritizing email and cloud services according to Microsoft's 2025 guidance. Use long, unique passwords or passphrases, and avoid common or contextual passwords like "CompanyName2025." Monitor account activity by reviewing login history and active sessions, and log out from unfamiliar locations. Report suspicious activity by escalating multiple failed login notifications to IT immediately according to Huntress in 2025.
Organization-level defenses
Enforce MFA across all account types—default accounts, local, domain, and cloud—with no exceptions. Even partial MFA adoption leaves low-hanging fruit for attackers according to Microsoft's 2025 and Brandefense's 2025 guidance. Prioritize FIDO2, passkeys, and hardware keys such as YubiKey over SMS or TOTP, which can be bypassed via SIM swapping or malware according to OWASP's 2025 guidance.
Deploy account lockout policies such as 5 failures in 15 minutes triggers temporary lock and block known-compromised passwords using NIST lists or Azure AD Smart Lockout according to Microsoft's 2025 and Brandefense's 2025 guidance. Block logins from non-compliant devices, restrict logins from outside defined organization IP ranges, flag logins from impossible travel scenarios, and require additional verification for high-risk logins according to CrowdStrike's 2025 and Frontegg's 2025 guidance.
Aggregate authentication logs to detect distributed failures across accounts. Alert on multiple failed login attempts to different accounts from the same source in short time windows. Monitor for password spray patterns such as N accounts with M failures in T seconds. Establish baseline authentication patterns and flag anomalies according to BreachSense's 2025 and Brandefense's 2025 guidance.
Disable or restrict legacy authentication protocols including NTLM and basic auth that lack MFA support. Implement admin tier access controls and restrict who can log into administrative accounts. Enforce VPN plus MFA for remote access according to Citrix 2024 and Huntress 2025 guidance. Prevent username enumeration by not leaking whether an account exists during failed login attempts. Educate users on password spraying and phishing risks, and conduct simulations according to OWASP's 2025 guidance.
Technical tools and platforms (2025)
Identity and Access Management (IAM) solutions include Microsoft Entra, Okta, Ping Identity, and Auth0. Detection and response platforms include Splunk, Elastic Security, CrowdStrike Falcon, and Rapid7. Conditional access solutions include Azure AD Conditional Access and Okta Policies. MFA solutions include Duo, Okta Verify, Microsoft Authenticator, and Yubico (FIDO2). SIEM and log aggregation platforms include Splunk, Elastic, and Datadog according to CrowdStrike, Microsoft, and Brandefense in 2025.
FAQs
How is password spraying different from a brute-force attack?
Brute force targets a single or few accounts with many password guesses (100s to 1000s attempts), triggering account lockouts quickly. Password spraying targets many accounts (1000s) with few passwords (1 to 5 guesses each), spreading attempts over time to evade lockouts. Spraying is stealthier and harder to detect but requires valid usernames. Brute force is noisier but does not. Both are ineffective against MFA according to OWASP's 2025 and CrowdStrike's 2025 guidance.
Why is password spraying so effective against cloud services like Microsoft 365?
Cloud services handle authentication for millions of users, making distributed failures hard to correlate. Rate-limiting per account is less effective when attacks are spread across 1000s-plus accounts. Additionally, organizations often have partial MFA adoption, leaving unprotected accounts as easy targets. Password spraying against O365 happens at 4,000-plus attempts per second globally according to Microsoft in 2024 and Rapid7 in 2025.
Can MFA-less accounts be detected by attackers to focus spraying efforts?
Yes. Attackers can test if an account has MFA by observing authentication response codes and timing. Accounts without MFA fail password validation and allow attackers to continue testing. MFA-protected accounts fail at the MFA step, signaling the account is hardened. This targeting of low-hanging fruit is a major reason why partial MFA adoption is dangerous according to Rapid7's 2025 and Microsoft's 2025 guidance.
What should I do if my organization is being targeted by password spraying?
Enable MFA immediately if not already enabled, implement conditional access to restrict high-risk logins, enforce account lockouts, and block known-compromised passwords. Monitor authentication logs for distributed failures. Force password resets for accounts with failed login attempts. Escalate to security team for incident response and threat intelligence sharing according to Brandefense's 2025 and Huntress's 2025 guidance.
Is passwordless authentication a complete solution to password spraying?
Yes, for accounts that implement it. FIDO2, passkeys, and Windows Hello eliminate password guessing entirely. However, legacy systems and applications may still rely on passwords, creating hybrid attack surface. A complete solution requires passwordless migration across all critical systems, plus fallback MFA for legacy access according to Frontegg's 2025 and Microsoft's 2025 guidance.
