The Microsoft Detection and Response Team (DART) and Microsoft’s Threat Intelligence team have been investigating a recent uptick in password spray attacks against O365 users. The identity-based attacks could potentially give attackers access to sensitive data that a user has access to, such as internal system access. The malicious activity would then appear as if coming from the user’s account as part of normal activity. A compromised account can lead to access to resources where additional credentials can be harvested, thus acquiring even further resource access.
Password spray attacks include the ‘low and slow‘ and ‘availability and reuse’ methods, which were outlined by Microsoft DART. The low and slow method deploys a sophisticated password spray using “several individual IP addresses to attack multiple accounts at the same time with a limited number of curated password guesses.” The availability and reuse method leverages credential stuffing, which occurs as a result of data breaches and relies on people reusing passwords and usernames across sites.
Password attacks often target legacy and unsecured authentication protocols as they can’t enforce multi-factor authentication (MFA) and often lack a rich audit trail. DART and the Threat Intelligence team at Microsoft have observed a recent shift in targeting applications that utilize the REST API. Commonly targeted applications are Exchange ActiveSync, IMAP, POP3, SMTP Auth and Exchange Autodiscover. A password spray can be difficult to detect and can avoid account lockouts that would normally occur when brute forcing a single account with many passwords. Researchers estimate that more than a third of account compromises are password spraying attacks, even though such attacks have a 1% success rate for accounts.
To protect against password attacks, organizations should use a complex password policy and multi-factor authentication as a first line of defense.
Detailed below are some additional mitigation measures:
• Brute force prevention should be enabled on both username and password input fields
• Set account lockout policies after a certain number of failed login attempts.
• Implement CAPTCHA if lockout is not a viable option.
• Any administrative applications should force users to change their password on first login.
• Use multi-factor authentication on externally facing services.