Skip to content
Threat Feed
high advisory

Azure AD Password Spraying Attack Detection

A single source IP failing to authenticate with multiple valid users in Azure AD, potentially indicating a Password Spraying attack, is detected using Azure SignInLogs and the 3-sigma rule to identify anomalous failed login patterns.

This brief focuses on detecting password spraying attacks targeting Azure Active Directory (Azure AD) environments. The attack is characterized by an attacker attempting to authenticate to multiple accounts with a list of common passwords from a single source IP. This method aims to evade account lockout policies and gain unauthorized access. The detection analytic uses Azure SignInLogs data, calculating standard deviation for source IPs, and applying the 3-sigma rule to identify unusual numbers of failed authentication attempts. Successful attacks can lead to unauthorized access, privilege escalation, and data compromise. The detection logic looks for errorCode=50126 in the sign-in logs, corresponding to invalid username or password errors.

Attack Chain

  1. The attacker identifies a target Azure AD tenant.
  2. The attacker obtains a list of valid usernames, often through OSINT or previous breaches.
  3. The attacker initiates authentication attempts against multiple user accounts using a list of common passwords from a single source IP address.
  4. Azure AD records failed sign-in attempts with errorCode=50126 in the SignInLogs.
  5. The detection analytic aggregates failed authentication events by source IP address and calculates the number of unique user accounts targeted within a 5-minute window.
  6. The analytic compares the number of unique accounts targeted by each source IP to the average and standard deviation of unique accounts targeted by other IPs.
  7. Source IPs exceeding the 3-sigma threshold are flagged as potentially malicious.
  8. If successful, the attacker gains initial access to a user account and can then move laterally within the Azure AD environment, potentially escalating privileges and compromising sensitive information.

Impact

Successful password spraying attacks can lead to unauthorized access to sensitive data and resources within an Azure AD tenant. This can result in data breaches, financial loss, and reputational damage. While the number of victims is unknown, the impact can be widespread, affecting any organization relying on Azure AD for identity and access management.

Recommendation

  • Deploy the Sigma rule "Azure AD Unusual Number of Failed Authentications From Ip" to your SIEM to detect potential password spraying attacks.
  • Enable and monitor Azure Active Directory SignInLogs to provide the necessary data source for the detection rule.
  • Investigate any alerts generated by the Sigma rule to determine whether the activity is malicious or a false positive.
  • Review and enforce strong password policies within Azure AD to mitigate the risk of password spraying attacks.
  • Implement multi-factor authentication (MFA) to add an additional layer of security and prevent unauthorized access even if passwords are compromised.
  • Use the drilldown searches to investigate user accounts involved in the anomalous activity, looking for signs of compromise.

Detection coverage 2

Azure AD Unusual Number of Failed Authentications

high

Detects a single source IP failing to authenticate with multiple users in Azure AD, indicating potential password spraying.

sigma tactics: initial_access techniques: T1110.003 sources: network_connection, azure

Azure AD Failed Sign-in from Multiple Geolocation

medium

Detects a userPrincipalName failing to authenticate from multiple geolocation

sigma tactics: initial_access techniques: T1110.003 sources: network_connection, azure

Detection queries are available on the platform. Get full rules →