Password Spraying: How Attackers Stay Below Lockout (and How to Catch Them)

Cybersecurity

Password spraying is the most common path to corporate Office 365 in 2026. The attack is one common password against many accounts. The defense is smart lockout plus FIDO2.

By Arjun Raghavan, Security & Systems Lead, BIPI · March 17, 2025 · 7 min read

Brute force died with account lockout policies. Password spraying replaced it. The pattern is the inverse: one password tried against many users, slowly enough to stay below the lockout threshold. It is the most common credentialed-access path we see on external assessments and the technique behind real breaches every quarter.

Methodology

Build a user list. Public sources: LinkedIn, GitHub, Hunter.io, the company's website, leaked breach data on dehashed.com. Convert to the email format used internally (firstname.lastname@corp.com is the most common). Pick a password seasonally relevant: Spring2026!, Welcome1!, Company2026!. Spray with kerbrute against AD or MSOLSpray against Microsoft Entra ID, with a 1-2 hour delay between rounds and a randomized account order.

• kerbrute passwordspray -d corp.local users.txt 'Spring2026!': against on-prem AD via Kerberos pre-auth.
• MSOLSpray --UserList users.txt --Password 'Welcome1!' --Output results.csv: against Entra ID.
• Spray and Pray (Trevor Spray): supports tenant discovery and slow rates against multiple endpoints.
• Atomizer or fireprox to rotate source IPs and avoid per-source rate limits.

Why it still works

Three reasons. Lockout policies trigger on N failures per account in a window; spraying touches each account once or twice well below the threshold. Many environments still allow legacy authentication (IMAP, POP, SMTP AUTH) which bypasses MFA on some configurations. And a meaningful percentage of users still pick a single seasonal pattern that fits both the complexity policy and human memory.

Detection

Look for low-and-slow patterns. The signature is many distinct user accounts with one or two failed authentications each in a tight window, often from the same source IP or same source ASN. Microsoft Sentinel has a built-in detection rule for password spray. On AD, Event 4625 with substatus 0xC000006A (bad password) across many accounts within minutes is the signal. Account lockouts (4740) clustered in time also indicate spray that crossed the threshold.

Remediation

1. Deploy phishing-resistant MFA, ideally FIDO2 hardware keys or platform passkeys, for all users. Microsoft Authenticator with number matching is acceptable; SMS is not.
2. Disable legacy authentication entirely (basic auth, IMAP, POP, SMTP AUTH). Most spray attacks target these endpoints because they bypass MFA.
3. Enable smart lockout (Entra ID has it built-in). It tracks per-source patterns, not just per-account counts.
4. Block common passwords with a banned-password list. Microsoft's global banned list plus a custom list with company name, current year, current season, and product names.
5. Implement conditional access. Block sign-ins from unfamiliar countries, block legacy clients, require compliant devices for high-risk apps.
6. Build a SIEM detection: distinct users with failed auth from a single IP > 25 in 30 minutes. Tune up from there based on noise.
7. Educate but do not rely on it. Password spraying succeeds because policy makes seasonal passwords compliant. Fix the policy and the auth, not the user.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.