Password Spray

Password spray is a brute-force attack pattern where an attacker tries a small number of common passwords (e.g., Spring2024!, Password123) against a large number of accounts, rather than trying many passwords against one account. The advantage to attackers: account lockout policies that trigger on N failed attempts against one account never fire, because each individual account sees only a few attempts. Microsoft Entra ID Identity Protection detects password spray patterns and flags affected users as risky. Microsoft Defender for Identity detects spray against on-prem AD. Mitigation: MFA for all users, Entra ID Smart Lockout, password protection (banning weak passwords), and ideally passwordless authentication which removes the password as an attack vector entirely.