In a traditional brute-force attack, a malicious thespian attempts to compass unauthorized access to a unmarried delineate of piece of job organisation human relationship past times guessing the password. This tin rapidly trial inward a targeted delineate of piece of job organisation human relationship getting locked-out, every bit unremarkably used account-lockout policies let 3 to v bad attempts during a develop menses of time. During a password-spray develop on (also known every bit the “low-and-slow” method), the malicious thespian attempts a unmarried password against many accounts earlier moving on to endeavour a minute password, in addition to thence on. This technique allows the thespian to rest undetected past times avoiding rapid or frequent delineate of piece of job organisation human relationship lockouts. 
Password spray campaigns typically target unmarried sign-on (SSO) in addition to cloud-based applications utilizing federated authentication protocols. An thespian may target this specific protocol because federated authentication tin assistance mask malicious traffic. Additionally, past times targeting SSO applications, malicious actors hope to maximize access to intellectual belongings during a successful compromise.
Email applications are also targeted. In those instances, malicious actors would bring the mightiness to utilize inbox synchronization to (1) obtain unauthorized access to the organization’s e-mail straight from the cloud, (2) later download user postal service to locally stored e-mail files, (3) position the entire company’s e-mail address list, and/or (4) surreptitiously implements inbox rules for the forwarding of sent in addition to received messages.
Technical Details
Traditional tactics, techniques, in addition to procedures (TTPs) for conducting the password-spray attacks are every bit follows:
- Using social technology scientific discipline tactics to perform online inquiry (i.e., Google search, LinkedIn, etc.) to position target organizations in addition to specific user accounts for initial password spray
- Using easy-to-guess passwords (e.g., “Winter2018”, “Password123!”) in addition to publicly available tools, execute a password spray develop on against targeted accounts past times utilizing the identified SSO or web-based application in addition to federated authentication method
- Leveraging the initial grouping of compromised accounts, downloading the Global Address List (GAL) from a target’s e-mail client, in addition to performing a larger password spray against legitimate accounts
- Using the compromised access, attempting to expand laterally (e.g., via Remote Desktop Protocol) inside the network, in addition to performing bulk information exfiltration using File Transfer Protocol tools such every bit FileZilla
Indicators of a password spray develop on include:
- A massive spike inward attempted logons against the corporation SSO portal or web-based application;
- Using automated tools, malicious actors endeavour thousands of logons, inward rapid succession, against multiple user accounts at a victim enterprise, originating from a unmarried IP address in addition to figurer (e.g., a mutual User Agent String).
- Attacks bring been seen to run for over 2 hours.
- Employee logons from IP addresses resolving to locations inconsistent alongside their normal locations.
Typical Victim Environment
The vast bulk of known password spray victims part roughly of the next characteristics:
- Use SSO or web-based applications alongside federated authentication method
- Lack multifactor authentication (MFA)
- Allow easy-to-guess passwords (e.g., “Winter2018”, “Password123!”)
- Use inbox synchronization, allowing e-mail to last pulled from cloud environments to remote devices
- Allow e-mail forwarding to last setup at the user level
- Limited logging setup creating difficulty during post-event investigations
