What Is Password Spraying, and How Can You Spot and Block Attacks?

In 2019, a data heist at Citrix shook the cybersecurity world. The attackers stole business documents from a shared network drive and from a drive associated with a web-based tool used in Citrix’s consulting practice. The hackers gained this access to Citrix’s IT infrastructure through a password spraying attack, a technique that exploits weak passwords, leading to criticism that the software giant needlessly compromised its clients by failing to establish a sound password strategy.

Citrix is far from the only enterprise that falls short with password security. When a threat research team scanned all Microsoft user accounts in early 2019, they discovered that 44 million users were using the same usernames and passwords that had already been leaked online after security breaches at other online services. This tendency is alarming, as the 2020 Data Breach Investigations Report reveals that over 80 percent of hacking-related breaches involve either stolen (or lost) credentials or brute-force attacks.

Password spraying attacks cannot be prevented, but they can be detected and even stopped in their tracks. In this article, we explain how this type of attack unfolds, how you can spot attacks in progress and how you can mitigate your risk of becoming the next victim.

What Is a Password Spraying Attack?

Typical brute-force attacks target a single account, testing multiple passwords to try to gain access. Modern cybersecurity protocols can detect this suspicious activity and lock out an account when too many failed login attempts occur in a short period of time.

Password spraying flips the conventional strategy by attempting to log on to multiple user accounts using many common passwords. Trying a single password on many different accounts before attempting another password on the same accounts circumvents normal lockout protocols, enabling the attacker to keep trying more and more passwords.

Unfortunately, password spray attacks are frequently successful because so many users fail to follow password best practices. In fact, the 200 most common passwords leaked in data breaches in 2019 included obvious number combinations such as “12345”, common female first names, and the word “password” itself. Any attacker who targets a sufficiently large number of usernames and works with a large enough bank of common passwords is bound to be able to compromise some accounts.

While casting a wide net is likely to return at least a few successes, today’s savvy hackers rely on a more precise approach. They set their sights on users who use single sign-on (SSO) authentication, hoping to guess credentials that will give them access to multiple systems or applications. They also commonly target users that use cloud services and applications utilizing federated authentication. This approach can enable attackers to move laterally, since federated authentication can help mask malicious traffic.

Once an account has been compromised in a password spraying attack, the victim may suffer temporary or permanent loss of sensitive information. For organizations, a successful attack might also mean disrupted operations, significant revenue losses and reputational damage.

How to Detect a Password Spraying Attack

Although conventional countermeasures might not automatically detect password spraying attacks, there are several reliable indicators to look for. The most obvious is a high number of authentication attempts, especially failed attempts due to incorrect passwords, within a short period of time. Naturally, a closely related indicator is a spike in account lockouts.

In many cases, password spraying leads to a sudden spike in attempted logins involving SSO portals or cloud applications. Malicious parties may use automated tools to attempt thousands of logons within a brief period of time. Often, these attempts come from a single IP address or a single device.

How to Mitigate the Risk of Falling Victim to a Password Spraying Attack

While it’s critical to be able to promptly detect successful attacks, allowing attackers even brief access to sensitive data can prove devastating. A sound cybersecurity strategy requires a comprehensive, proactive approach that ensures layered protection to block as many attacks as possible. Be sure to follow these best practices:

  • Require multi-factor authentication for all users.
  • Ensure all passwords abide by National Institute of Standards and Technology (NIST) guidelines.
  • Establish sound policies for resetting passwords after account lockouts.
  • Develop a defensible password strategy for shared accounts.
  • Conduct regular user training to ensure all users understand the threat of password spraying and how they can devise and maintain secure passwords.

How Netwrix Solutions Can Help

The best way to defend your organization against password spraying attacks is to invest in an IT security tool that can reliably detect and block these attacks with comprehensive auditing, alerting and reporting.

Netwrix Auditor can alert you to a wide variety of suspicious activity, including events indicative of a password spraying attack, so you can respond immediately to protect your systems and data. Moreover, it delivers powerful auditing and reporting. Key features include:

  • Active Directory auditing and alerting. Netwrix Auditor tracks Active Directory logins and other user activity, including all successful and failed logon attempts. You can set up alerts on activity you deem suspicious, including single actions like a user gaining admin privileges or a sequence of actions within a specified timeframe, such as more than 4 failed login attempts within 1 minute. You can also easily review the full logon history of any user.
  • User behavior analytics. A consolidated view of unusual activity and ranking of risk actors makes it easier to spot compromised accounts and malicious insiders early, so you can take action to avoid security
  • User behavior and blind spot analysis. Spot malicious actor sneaking around your environment by easily scrutinizing user activity outside of standard hours, logon attempts by multiple users from a single endpoint, and logon attempts by a single user from multiple endpoints.

Netwrix Auditor also helps you fortify your security posture so you are less vulnerable to password spraying attacks in the first place. In particular, you can:

  • Enforce password policy best practices with complete visibility into policy settings and alerts on changes.
  • Track Azure AD password resets to maintain strong security in the cloud.
  • Discover and secure accounts that do not require passwords or whose passwords are set to never expire.
  • Identify and disable inactive accounts before they can be exploited by attackers.

In short, with Netwrix Auditor, it’s possible to catch malicious players early on — and proactively block them from getting into your network in the first place.

Product Evangelist at Netwrix Corporation, writer, and presenter. Ryan specializes in evangelizing cybersecurity and promoting the importance of visibility into IT changes and data access. As an author, Ryan focuses on IT security trends, surveys, and industry insights.