Cyber attackers aren’t just looking for software flaws, supply chain weakness, and open RDP connections. The other key asset hackers are after is identities, especially account details that will give them access to other internal systems.
CISA earlier this year warned that the suspected Kremlin-backed hackers behind the SolarWinds attacks were not just trojanising software updates, but also password guessing and password spraying administrative accounts for initial access.
More recently, Microsoft observed an emerging Iranian hacking group using password spraying against Israeli and US critical infrastructure targets operating in the Persian Gulf.
Microsoft estimates that more than a third of account compromises are password spraying attacks, even though such attacks have a 1% success rate for accounts, unless organisations use Microsoft’s ‘password protection’ to avoid bad passwords.
“Instead of trying many passwords against one user, they try to defeat lockout and detection by trying many users against one password,” Microsoft explained last year. That approach helps avoid rate limiting, where too many failed password attempt results in a lockout.
Microsoft’s Detection and Response Team (DART) has outlined two main password spray techniques, the