The Microsoft Detection and Response Team (DART) and Microsoft’s Threat Intelligence team have been investigating a recent uptick in password spray attacks against O365 users. The identity-based attacks could potentially give attackers access to sensitive data that a user has access to, such as internal system access. The malicious activity would then appear as if coming from the user’s account as part of normal activity. A compromised account can lead to access to resources where additional credentials can be harvested, thus acquiring even further resource access.
Password spray attacks include the ‘low and slow‘ and ‘availability and reuse’ methods, which were outlined by Microsoft DART. The low and slow method deploys a sophisticated password spray using “several individual IP addresses to attack multiple accounts at the same time with a limited number of curated password guesses.” The availability and reuse method leverages credential stuffing, which occurs as a result of data breaches and relies on people reusing passwords and usernames across sites.
Password attacks often target legacy and unsecured authentication protocols as they can’t enforce multi-factor authentication (MFA) and often lack a rich audit trail. DART and the Threat Intelligence team at Microsoft have observed a recent shift in targeting applications that utilize the REST API. Commonly targeted applications are Exchange ActiveSync, IMAP, POP3, SMTP Auth and Exchange Autodiscover. A password spray can be difficult to detect and can avoid account lockouts that would normally occur when brute forcing a single account with many passwords. Researchers estimate that more than a third of account compromises are password spraying attacks, even though such attacks have a 1% success rate for accounts.