By: Jeet Dutta, Data Science

Welcome to the Unravelling Cyber Defense Model Secrets series, where we shine a light on how our Data Science team is keeping up with the latest detections.

When it comes to cybersecurity, some of the oldest tricks are still among the most dangerous. Weak or default passwords continue to be a top target for attackers, and one tactic that’s quietly gaining traction is the password spray attack.

Unlike brute-force methods, password spraying takes a stealthier approach. It uses a short list of common passwords across a wide range of accounts, often slipping under the radar of lockout policies and traditional detection tools.

As these attacks evolve in sophistication and scale, organizations, especially those with limited IT resources, need smarter, more adaptive ways to detect and respond before damage is done. In this post, we’ll break down how password spray attacks work, why they’re so effective, and what you can do to protect your environment.

How Password Sprays Work

Passwords are critical for preventing unauthorized access and securing sensitive information yet are often relegated to defaults that are never changed or are too easy to guess. Threats associated with weak passwords prominently include the password spray attack. Cybercriminals use a small set of common passwords and try them across many accounts to find one that matches.

This approach differs from brute force attacks, where many passwords are tried on a single account, which can trigger account lockouts. Spray attacks are more subtle and can often bypass these lockout protections, making them a serious threat.

Addressing the challenge of implementing strong password practices throughout an organization, we launched a new detection called M365 Password Spray. Adding further heft to our brute force detection suite, this alert is designed to identify suspicious incidents involving a large number of accounts with login failures originating from a single external IP address.

The detection logic is based on monitoring authentication attempts. If an unusually high number of accounts receive failed logins from a single IP address, an alert is triggered. Should a successful login occur as well, the alert severity is increased, indicating that the attack may have succeeded.

This upgrade to the brute force detection suite exemplifies our commitment to continually improve threat detection on the platform. Below is a sample alert:

The graphic showcases the following detection highlights:

• Severity: Low if no successful logon in addition to failures. Medium if there was a successful logon along with the slew of failures.
• Source IP Address: The detection shows which external IP was responsible for the suspicious activity.
• User ID: The names of the individual accounts are listed here.
• Additional Information: Shows the number of accounts with failed access in a single hour, along with additional details about the login failures.
• Events Table: Shows the individual events that were aggregated by the model.

These detection trends highlight just how widespread and often unnoticed password spray attacks can be, reinforcing the need for continuous monitoring, smarter authentication controls, and rapid response capabilities.

Beyond the Alert: What Comes Next

Whether it’s a suspected credential compromise, unusual user behavior, or a flagged password spray attempt, once an alert reaches the portal, there is a timely and structured response that is critical to minimizing risk. In this section, we’ll walk through the recommended remediation sequence, from initial triage to containment, investigation, and recovery ensuring you can act quickly, confidently, and effectively. Below is a recommended remediation sequence in case a Password Spray alert is delivered to the portal:

Containment and Immediate Response

• Block the offending IP address at Microsoft 365 level (Conditional Access, Defender) and network firewalls.
• Temporarily disable or restrict access to targeted user accounts to prevent further exploitation.
• Force password resets and invalidate active sessions or tokens for affected users.

Investigation and Analysis

• Analyze user activities for signs of account compromise, such as mailbox rule changes or unusual behavior.
• Check if MFA was enabled and enforced and identify any bypass attempts.

Hardening

• Reset passwords and re-enable MFA for affected users.
• Remove any malicious inbox rules, delegations, or unauthorized app consents.
• Adjust account lockout and smart lockout policies to better defend against future spray attempts.
• Implement or refine Conditional Access policies, including geo-blocking and risk-based access controls.

Effective remediation isn’t just about resolving a single alert—it’s about breaking the attack chain and strengthening your overall security posture. By following a consistent, well-documented response process within the platform, teams can reduce dwell time, limit business impact, and turn every incident into an opportunity to improve resilience. Staying prepared, responsive, and proactive is key to keeping evolving threats in check.