Microsoft has a group of credential compromise detection capabilities that we wanted to tell you about. This one uses Microsoft’s machine learning technology and global signal to create incredibly accurate detection of a nuanced attack called “password spray.” This is a great example of where worldwide, multi-tenant detection combines with rapidly evolving detection technology to keep you safe from this very common attack.

Comprehending Password Spray

Password spray happens to be one of the most popular attacks, accounting for more than a third of account compromise in organizations. In these attacks, bad actors try a few common passwords against many accounts from different organizations. Instead of trying many passwords against one user, they try to defeat lockout and detection by trying many users against one password. Effective forms of this attack are “low and slow,” where the bad actor uses thousands of IP addresses (such as from a botnet) to attack many tenants with a few common passwords. From any one tenant’s view, there are so few login attempts with such poor consistency that the attack is undetectable. A customer might only see one or two failed logins happen from these types of attacks once a day, so the attacks get lost in the noise of normal login patterns. They also bypass traditional protection like password lockout and malicious IP blocking. Password spray attacks have a 1 percent success rate for accounts (unless they use password protection – please use it!).

It is only when Microsoft review across the tenants around the world and evaluate the complete picture of logins that they can reliably detect the patterns. The following chart shows a password spray attack that was observed on our system:


Each color tracks a different password hash for login attempts with incorrect passwords in Azure Active Directory (Azure AD). Looking across millions of tenants, we can see the pattern of a password spray attack. Normally the graph would be flat and evenly dispersed as you see on the left side. The huge elevation of a single hash failing across many accounts indicates a single password being attempted against hundreds of thousands of usernames from many tenants—a password spray attack in progress. This lens extends our detections beyond traffic from a set of IP addresses (a few of these attacks have originated from millions of IP addresses) and instead correlates the patterns of authentications the bad actors are attempting.

The Progression of Microsoft’s Password Spray Detection

In order to detect password sprays, Microsoft had built a heuristic detection using the approach previously described.  It worked great – by looking at the core failure in the system in their worldwide traffic they were able to notify tenants of hundreds of thousands of attacks monthly (increased user risk) so they could protect their organizations.

But Microsoft simply wasn’t satisfied. Hence, their data scientists started researching the use of these patterns and additional data to train a new supervised machine learning system incorporating IP reputation, unfamiliar sign-in properties, and other deviations in account behavior. The results of this research led to last month’s release of the new password spray risk detection. This new machine learning detection yields a 100 percent increase in recall over the heuristic algorithm described above meaning it detects twice the number of compromised accounts of the previous algorithm. It does this while maintaining the previous algorithm’s amazing 98 percent precision—meaning if this algorithm says an account fell to password spray, it’s almost certain that it did.

Azure AD Identity Protection customers will see this new risk detection in the portal and APIs for Identity Protection. The following screenshot provides a sample of the new risk detection:

Password Spray

This new password spray detection is an excellent example of how Microsoft leverages intelligence gained across Microsoft’s identity systems to continuously expand and improve their protections—which you can use to automate processes in Azure AD Conditional Access, in Azure Sentinel, or through the APIs for anything you can imagine. For more information about other risk detections and how you can enable Identity Protection in your own organization, see the article, “What is Identity Protection?”.

Please contact [email protected] if you would like to learn more about this or any other security protection with Azure.


Was this article helpful?