Microsoft says it has detected an increase in password spray attacks targeting privileged cloud accounts and high-level identities such as executives.
Over the past year, Microsoft’s Detection and Response Team (DART) and Microsoft’s Threat Intelligence Team have observed an increase in the use of password sprays as a means of attack.
A password spray attack is a type of brute force attack in which an attacker attempts to gain access to a large list of accounts using a small number of commonly used passwords.
What is a password spray attack?
This kind of attack often involves switching between accounts using the same password to find an account that can be easily accessed and prevent defenses such as password lockout or malicious IP blocking (if using a botnet) from working.
This attack makes it less likely that an account will be locked, as happens when targeted by a classic brute force attack that attempts to quickly log into a small number of accounts by going through a huge list of passwords one at a time.
Over the past year, the Microsoft Detection and Response Team (DART) and Microsoft’s Threat Intelligence team have observed an increase in the use of password spraying as a means of attack. In the past year, the Microsoft Detection and Response Team (DART) and Microsoft’s Threat Intelligence team have observed an increase in the use of password spraying as an attack vector.
With cloud admin accounts increasingly being the target of password spray attacks, it is important to understand what is being targeted
MS recommends enabling and enforcing multi-factor authentication (MFA) on all accounts and adopting password-less technology whenever possible to significantly reduce the risk of an account being compromised when targeted by such an attack.
Administrators and high class accounts are increasingly being targeted
As Microsoft warned a year ago, password spraying attacks are one of the most common authentication attacks, accounting for more than a third of all corporate account breaches.
Recent password spraying attacks have also been observed to target administrator accounts with various privileges, with the most commonly targeted accounts ranging from security, Exchange services, global, and conditional access administrators to SharePoint, help desk, billing, user, authentication, and company administrators. SharePoint, Help Desk, Billing, Users, Authentication, and Company Administrators.
In addition to these privileged accounts, attacks have also been targeted at individuals, including executive-level executives, and those with access to sensitive data.
While it’s easy to make exceptions to the policy for staff in executive positions, the reality is that these accounts are the most targeted.
Be sure to apply the protections in a logical manner so as not to create a configuration weakness
In July 2021, the NSA revealed that the Russian state-sponsored hacking group Fancy Bear had launched password-spraying attacks from its Kubernetes cluster against organizations in the United States and abroad, including agencies of the U.S. government and Department of Defense.
In early October 2021, Microsoft also announced that it had discovered that the Iranian-linked DEV-0343 and the Russian-backed Nobelium group were using password spray in attacks targeting defense technology companies and managed service providers (MSPs) or cloud service providers, respectively. in attacks targeting defense technology companies, managed service providers (MSPs) or cloud service providers, respectively.