Password Spraying vs. Brute Force
Password spraying and brute-force attacks both involve attackers trying to guess passwords, but they work in very different ways. In a password spraying attack, the attacker tries a small number of commonly used passwords against a large number of accounts. By limiting the number of attempts on each account, attackers can avoid triggering account lockout policies, making the attack much harder to detect. Password spraying primarily succeeds because many users still rely on weak or commonly used passwords. In contrast, a brute-force attack focuses on a single account. The attacker systematically tries many different password combinations until the correct one is found. Because this approach generates numerous failed login attempts against the same account, it often triggers account lockouts and security alerts, making it easier for defenders to detect and stop. Brute-force attacks rely on exhaustive password guessing rather than testing a few common passwords across multiple accounts. For example, a brute-force attack targeting a single account may trigger a security lockout after just five failed login attempts. A password spraying attack, however, may attempt only one password every several hours against each account, allowing attackers to remain undetected for days or even weeks while they search for accounts protected by weak passwords.Why Password Spray Attacks Work
People choose predictable passwords.
Despite password policies and security awareness training, many users still create passwords based on familiar patterns. They often use seasons, company names, years, sports teams, keyboard patterns, or personal names. Discovering the most commonly used passwords is relatively easy. Security firms and researchers publish annual reports identifying the passwords users choose most often, and even Wikipedia maintains a list of the 10,000 most common passwords compiled from publicly available data. Because these passwords are so common, attackers prioritize them first, knowing that even a small success rate can provide access to valuable accounts.Large organizations have thousands of users.
The larger an organization, the greater the chance that at least a few employees have weak passwords. Even if 99.9% of employees use strong, unique passwords, a company with 100,000 user accounts could still have around 100 accounts protected by weak or predictable passwords. Attackers only need one successful login to establish a foothold inside the organization.Remote services expand the attack surface.
Modern organizations rely on numerous internet-facing authentication services that employees access remotely. These include Microsoft 365, VPN gateways, Outlook Web Access, Remote Desktop services, Citrix portals, Single Sign-On platforms, and cloud identity providers. Because these services are accessible from anywhere on the internet, they provide attackers with convenient targets for password spraying campaigns.Attackers can easily discover usernames.
Obtaining valid usernames is often much easier than organizations realize. Attackers can gather employee email addresses and usernames from LinkedIn profiles, corporate websites, public contact pages, GitHub repositories, conference attendee lists, and previously leaked data from security breaches. Once an attacker knows an employee's email address or username, they already possess half of the credentials needed to log in.How a Password Spray Attack Works
Stage 1: Reconnaissance.
The attacker begins by collecting a list of valid usernames from publicly available sources such as company websites, LinkedIn profiles, employee directories, DNS records, email metadata, and data breaches. Cybercriminals may also purchase stolen username lists from dark web marketplaces. These databases, harvested from previous data breaches, contain billions of compromised credentials, with estimates suggesting that more than 15 billion usernames and passwords are available for sale or trade. Alternatively, attackers can compile their own lists of valid usernames by identifying an organization's email address format. The goal is to build a large list of legitimate user accounts that can be targeted.Stage 2: Password Selection.
Rather than guessing random passwords, attackers choose a small number of passwords that users are most likely to have selected. These are often based on the current season, the current year, company branding, industry trends, or passwords exposed in previous data breaches.Stage 3: Authentication Attempts.
The attacker then attempts to log in using one password across every account in the target list. These login attempts are directed at services such as Microsoft 365, Exchange Online, Azure Active Directory, Okta, VPN gateways, Google Workspace, or SSH servers. By trying only a single password against each account, the attacker avoids triggering account lockout thresholds.Stage 4: Waiting Period.
After completing one round of login attempts, the attacker waits for several hours or even days before trying another password. This deliberate pause helps evade rate-limiting controls, account lockout policies, and security monitoring systems that look for repeated failed logins over a short period.Stage 5: Repeat.
The attacker repeats the process using a different commonly used password. Over time, one or more accounts eventually authenticate successfully, giving the attacker unauthorized access while generating little suspicious activity.Stage 6: Post-compromise
A successful password spraying attack can provide attackers with an initial foothold, allowing them to escalate privileges, map an organization's internal network, and exploit weakly segmented environments. In several major breaches, compromised VPN and Remote Desktop Protocol (RDP) accounts obtained through password spraying enabled attackers to move laterally across networks. Cloud and SaaS environments that lack behavioral monitoring are at risk, as attackers can quietly access and exfiltrate sensitive data, including email archives, shared files, and contact databases.Tools Used in Password Spray Attacks
Attackers commonly automate password spraying using publicly available tools. Popular examples include:- Microsoft Graph API scripts
- AzureAD PowerShell modules
- CrackMapExec
- Kerbrute
- Spray365
- MSOLSpray
- GoSpray
- TeamFiltration
Real-world attacks
1. Azure CLI Password Spray Campaign (June 2026)
In June 2026, cybersecurity researchers at Huntress uncovered one of the largest password spraying campaigns ever observed targeting Microsoft's Azure Command-Line Interface. Between June 12 and June 26, attackers launched more than 81 million login attempts, compromising at least 78 Microsoft accounts across 64 organizations. The attackers exploited the legacy Resource Owner Password Credentials (ROPC) authentication flow, allowing them to bypass poorly configured Conditional Access policies in some Microsoft 365 environments.2. Microsoft Breach by Midnight Blizzard (2023–2024)
In November 2023, the nation-state threat group Midnight Blizzard launched a relatively unsophisticated password spraying attack against Microsoft. The attackers used a large network of legitimate residential IP addresses to disguise their login attempts and evade detection. Their campaign successfully compromised a legacy Microsoft test tenant account that had administrative privileges but was not protected by multi-factor authentication. After gaining access, the attackers moved laterally through Microsoft's environment and compromised a legacy test OAuth application with privileged permissions, allowing them to maintain persistent access. During the nearly two months before the breach was detected, the threat actors exfiltrated emails, attachments, and other sensitive data belonging to senior Microsoft executives and employees.How to Prevent Password Spray Attacks
1. Enforce Multi-Factor Authentication
MFA is the single most effective defense. Even if attackers discover a valid password, they cannot log in without the second authentication factor. Phishing-resistant MFA methods, such as hardware security keys or passkeys, provide stronger protection than SMS-based verification.2. Use Password Managers.
Every account across the organization should follow password management best practices. Passwords should be unique for each application or system, never reused across work and personal accounts, sufficiently long and complex, and never shared with other users. Enforcing these standards consistently across an enterprise is difficult without automation, which is why organizations should use password managers or password vaults to securely generate, store, and manage strong, unique credentials for every user.3. Adopt Passwordless Authentication
Passkeys, biometric authentication, and hardware-backed credentials reduce reliance on passwords entirely, removing the opportunity for password spraying.4. Implement Smart Account Lockout
Instead of permanently locking accounts after several failures, organizations should use adaptive lockout policies that consider factors such as IP reputation, geolocation, and login behavior. This helps prevent attackers from abusing lockout mechanisms while still protecting user accounts.5. Monitor Authentication Logs
Regularly reviewing authentication logs helps identify unusual login patterns before attackers gain widespread access. Monitoring should include:- Failed login rates
- Geographic anomalies
- Login velocity
- Suspicious IP addresses
- Legacy authentication usage



