Our Annual Cybersecurity Assessment is out: 55% of security teams were told to keep a breach quiet. — See what else 1,200 pros revealed >>

What Is Password Spraying?

Password spraying is a technique used in credential attacks that, instead of targeting one account with many password guesses, uses the simple inverted tactic of taking a single common password and testing it across a large number of user accounts. Then, it repeats the process with the next password down the list.

The name comes from the method used: “spraying” describes the wide, horizontal application of a single password across an entire user base, based on coverage rather than concentration. In threat intelligence reports and frameworks like MITRE ATT&CK, we can see the same technique referred to as a “horizontal password attack,” a “spray attack,” or a “low-and-slow authentication attack,” different labels that describe the same logic.

This can work due to basic probability, as in any organization that has hundreds or thousands of employees, the statistical likelihood that at least one person is using Summer2023, Company123, or the default credential their IT department issued and never asked them to change is pretty high.

The reason attackers prefer this approach over traditional methods is that most authentication systems will lock an account after several consecutive failed attempts. Spraying never concentrates attempts on a single account long enough to trigger the threshold. Password spraying is not a technical exploit, as no vulnerability is being leveraged and no code is being broken. It is an opportunistic tactic that turns poor credential hygiene into an entry point.

This single valid credential that happens to be guessed can become the starting gun for unauthorized access, lateral movement through the network, data exfiltration, or worse. Password spraying is one of the preferred methods used by threat actors to log in successfully without breaking in.

How a Password Spraying Attack Works

The Password Spraying Attack Chain
  1. Reconnaissance & username collection. Attackers build a target list before trying to log in using a well-known corporate quirk in email formats, which usually have a predictable form: first name and last name with a period in between (i.e., ). This standard can be found across thousands of organizations. It can be combined with the fact that employee names are available through public sources such as LinkedIn or online directories, and sometimes past breach databases are used as a source. Attackers can also validate which accounts actually exist before spraying, using various tools. For example, they might use Kerbrute to send Kerberos AS-REQ packets directly to domain controllers. A response of KDC_ERR_PREAUTH_REQUIRED confirms the account exists; KDC_ERR_C_PRINCIPAL_UNKNOWN means it doesn't. Basic monitoring setups are triggered by the standard failed logon Event ID 4625, but the method described here usually generates Event ID 4768, which is a different artifact.
  2. Password selection. Attackers use short, curated lists based on human predictability. For example, they might test seasonal patterns like “Autumn2026!” / “Winter2025!” or common defaults like “Welcome1.” There are also organization-specific guesses, like a company in May be a good fit for testing something predictable like “Cowboys123!” if from Dallas or “Hotspurs123!” if in Tottenham.
  3. Execution. One password is tested against every account, followed by a pause (30 minutes or more, in general). The next password is then tested, a pacing that keeps failed attempts per account below lockout thresholds. There is also the obstacle of IP-based rate limiting. For this, requests are routed through residential proxies, Tor exit nodes, or tools like FireProx, which creates pass-through proxies via AWS API Gateway, and as a result, every single request exits from a different IP address.

This execution model is applied across multiple authentication surfaces. Primary targets include SSO portals, VPN gateways, M365, Okta, and OWA. Legacy protocols like IMAP, POP3, SMTP, and Basic Auth are attractive because they predate MFA entirely; in other words, there is no mechanism in these protocols to issue a second-factor challenge. Guessing the password grants unconditional access. The question arises if this doesn’t take too long, and the reality is that a full campaign can unfold over days or weeks. The exact campaign length usually depends on how cautious the attacker is.

Tools & Techniques Used by Attackers

In the MITRE ATT&CK framework, password spraying is classified as T1110.003. It differs from T1110.001, which concentrates many passwords against one account, and T1110.002, which cracks stolen password hashes offline. The distinction matters because each sub-technique leaves different log artifacts and requires different detection logic.

Password Spraying Tools at a Glance

Tool

Target

Key Distinction

Spray365

Azure AD / M365

Pre-generates a randomized execution plan with variable delays to evade Smart Lockout and time-series anomaly detection

MSOLSpray

Microsoft Online

Parses Azure AD error codes to silently validate credentials and MFA status — without triggering a push notification

Go365

M365

Uses a SOAP endpoint most tools don’t target, reducing detection by standard filtering

SharpSpray

On-prem Active Directory (LDAP)

Executes entirely in memory via Cobalt Strike, bypassing antivirus that scans files on disk

Kerbrute

Active Directory (Kerberos)

Validates usernames at 10,000+ attempts/sec; generates Event ID 4768, not the standard failed logon Event ID 4625

FireProx

Infrastructure layer

This is, in fact, not a spraying tool, but it helps rotate source IPs through AWS API Gateway so every request appears from a different address

Why Password Spraying Is Effective?

The success of password spraying comes from its alignment with how credentials are actually created and managed in real environments. Weak and patterned passwords remain common across organizations of any size. Large user populations rely on superficial seasonal variations, default onboarding credentials that are never changed, and company-based patterns. Another common widespread phenomenon is credential reuse of the same passwords across both personal and work accounts.

There are clear password policies meant to solve this problem of predictable passwords, but they, in fact, can reinforce the patterns, as requirements can be easily satisfied by constructions like “CommonWord1!” or predictable changes such as “CommonWord1” becoming “CommonWord2”. This behavior has led NIST to recommend against forced periodic password rotations.

There is a clear structural gap in how visible suspect authentication is when login attempts are distributed across many accounts and originate from different sources. Individual failures could resemble normal user behavior, and the main weakness is that account lockout policies operate per user, not across the environment. In reality, threshold-based controls are rarely triggered.

Password Spraying in Cybersecurity Environments

Password spraying is disproportionately effective against identity systems, and the reason is simple: in these environments, only one guessed password can unlock many other accounts.

In enterprise Active Directory, user credentials are the key to the domain, and the domain controls access to internal file shares, applications, and services. A valid account, even a low-privileged one, gives an attacker a legitimate foothold inside the network rather than at its edge.

Cloud identity providers such as Microsoft Entra ID, Google Workspace, and Okta are internet-facing by design, requiring a cloud security posture aligned with the CISA Cloud Security Technical Reference Architecture. They also sit at the center of an organization's application stack, as email, collaboration tools, HR systems, and business-critical SaaS platforms all authenticate through the same provider.

VPN gateways, OWA, RDP endpoints, and SSO portals have to stay publicly accessible to support remote work, which means they cannot be tucked away behind a perimeter. They are always there, always reachable. In federated environments, they tie back into the same centralized identity layer, so a successful spray on any one of them can open up access that goes well beyond what that single entry point would normally suggest.

Password Spraying vs Other Credential Attacks

Credential-based attacks are often grouped together, but they differ in how they distribute attempts and what the attacker already knows going in.

How Credential Attacks Differ

Password Spraying vs Brute Force

Brute force attacks are account-centric, targeting a single account while cycling through large numbers of password guesses. They repeat this until one succeeds or the account locks.

Password spraying is password-centric: it applies a small set of common passwords across many accounts.

Password Spraying vs Credential Stuffing

Credential stuffing relies on known credentials, not guesses. Attackers use username-password pairs obtained from previous breaches and test them across other services, assuming reuse.

Password spraying starts without that advantage. The attacker has usernames but must rely on probable passwords. While both approaches operate across many accounts, stuffing validates existing credentials, whereas spraying searches for weak ones.

Password Spraying vs Dictionary Attacks

Dictionary attacks focus on password depth. In other words, it is testing large wordlists against a small number of accounts.

Password spraying focuses on account breadth, testing a very small number of passwords across a wide user base.

Attack Type

Attack Vector

Data Required

Lockout Risk

Detection Signature

Password Spraying

Few passwords across many accounts

Username list

Low (per account)

Distributed failures across many users

Brute Force

Many passwords against one account

Single username

High

Rapid repeated failures on one account

Credential Stuffing

Known credential pairs reused at scale

Breached username-password pairs

Low to medium

Higher success rate using known credentials

Dictionary Attack

Large password list against few users

Username(s) + password wordlist

High

High-volume failures per account

Password Spraying Attack Examples

Password spraying might look like an edge case, but the reality is far from it, at least according to Microsoft’s Digital Defense Report, which states that the vast majority of identity attacks involve password spraying or brute-force attempts. At the same time, Verizon’s DBIR continues to show that compromised credentials are one of the most common entry points in real-world breaches.

There is a wide exposure in cloud environments, as a successful login against a centralized identity provider or SSO portal gives access to every service tied to that account (email, file storage, collaboration platforms) through a single set of credentials.

Midnight Blizzard (2024). A password spray targeting a legacy, non-production test tenant without MFA gave Russian state actors an initial foothold in Microsoft’s Entra ID environment. From there, they identified a legacy OAuth application that still held elevated permissions, used it to grant themselves broad Exchange mailbox access, and exfiltrated communications from senior leadership and security teams. Lesson: test and non-production accounts are not isolated; they can provide the same level of access as active environments and must be secured accordingly.

APT28 (2019–2023+). GRU Unit 26165 ran industrialized spray campaigns against M365 tenants across hundreds of organizations, routing attempts through approximately 1,100 rotating IP addresses and keeping attempts to around four / hour / account. Sustained access to government and defense networks lasted six months or more in several cases. Lesson: At this level of distribution and low-and-slow pacing, traditional threshold-based detection simply does not trigger.

CISA AA22-074A / Cisco Duo (2022). A dormant NGO account that had been removed from Duo MFA due to inactivity was never disabled in Active Directory. That was enough for Russian state-sponsored actors to gain access and take advantage of Duo’s “fail open” behavior to register their own MFA device. Then, they modified the Windows hosts file to redirect the Duo service to localhost, effectively disabling MFA across the environment. From there, they moved laterally and exfiltrated documents. The lesson is that dormant accounts become a problem when they remain active in any part of the environment, especially if MFA is no longer enforced. In this case, access can be granted without a second factor, even if it is required elsewhere.

Impact of Password Spraying Attacks

The spray itself is just the entry, as initial account takeover offers the attacker the appearance of a legitimate user based on the valid credentials obtained. The repercussions depend on what the compromised account exposes. The impact does not stay technical. Under regulations such as GDPR, HIPAA, and NIS2, a confirmed account compromise can trigger mandatory disclosure and regulatory scrutiny, along with long-term trust issues.

Advanced Password Spraying Variants & Evolution

The technique used in advanced attacks remains the same; only more infrastructure and operational discipline are put behind it in sophisticated campaigns. Attempts are distributed, sometimes over thousands of compromised residential nodes, and each of them makes only one or two requests per account per day. The goal is simple: no source needs to generate enough volume to trigger an alert. The traffic comes from legitimate residential ISP ranges to pass IP reputation filtering.

Attention to detail is also greater. For instance, spray activity is within normal working hours in the target's time zone, like in the case of Peach Sandstorm, which limited its operations to 9 AM - 5 PM Iran Standard Time, making the traffic patterns look more regular.

When there is a higher level of planning, password lists are less generic and use breach data, more specific organizational naming conventions, and seasonal patterns relevant to the target sector. AI models trained on leaked credential datasets can surface statistically probable passwords far beyond what can be done through manual curation, which lead to AI and machine learning being increasingly used to automate this process. The same contextual intelligence is then reused after initial access to craft targeted follow-on attacks against higher-value accounts from the same environment.

After a password is guessed, the attacker might face an MFA and use repeated prompts to further the attack, sometimes in quick succession. The attacker might even follow up with a fake IT message or call, presenting it as a routine check and demanding confirmation.

When an account is validated, this often leads to further access attempts. Internal emails and contact patterns can then be used to approach other users, especially those with broader access.

For APT groups such as Midnight Blizzard, APT28, Peach Sandstorm, and Storm-0940, password spraying under T1110.003 is a deliberate initial access choice. The reasons are easy to deduce - this approach requires no exploit, leaves almost no forensic traces, and produces a valid credential attached to a session that looks entirely legitimate, which can be operationally extremely durable.

Password Spraying Detection & Mitigation

Detecting a password spray requires looking past individual login failures to identify a distributed pattern. Because these attacks are low-and-slow, the evidence is often scattered across thousands of log entries.

Indicators of a Password Spraying Attack (IoCs)

The primary IoC is a failure pattern noticeable across a broad set of usernames, with key signals such as:

  • High-volume & low-frequency failures: Multiple accounts failing authentication within a specific window + each individual account only failing once or twice.
  • Predictable credentials: The above failures are related to common passwords or organization-specific guesses.
  • Infrastructure anomalies: Logins originating from unlikely sources,  geographically, known Tor exit nodes, or rotating residential proxies.
  • MFA fatigue: A sudden spike in denied MFA prompts as users reject unauthorized access requests.
  • Account activity: Disabled or service accounts that have not been active in months (dormant accounts) start displaying failed login attempts.

How to Detect Password Spraying

SIEM correlation logic aggregating telemetry across the identity stack is at the base of modern detection.

  • Active Directory: Event ID 4625 (failed logon) and Event ID 4771 (Kerberos pre-auth failure) that appear across many distinct accounts when monitored can reveal password spraying. Considering that 4771 is not audited by default, Kerberos-based sprays can go undetected.
  • Entra ID / M365: Analyze sign-in logs for error code 50126 across multiple accounts. Cases where authentication succeeded but was blocked by MFA or Conditional Access indicate a valid credential has already been guessed.
  • UEBA and behavioral analytics: Distinguishes a spray from legitimate noise, such as a misconfigured VPN client or SSO retries after a password change.
  • Honeypot accounts: Decoy accounts that appear legitimate but are never used by real employees provide a near-zero false-positive detection trigger.

How to Confirm Password Spraying

If a spray is confirmed, the first 24 to 72 hours determine how far it spreads.

  1. Block the source. Restrict the IPs involved at the firewall or WAF, knowing that distributed sprays often won’t rely on a single address.
  2. Disable legacy authentication. Disable legacy authentication protocols such as POP3, IMAP, and Basic Auth. These paths do not enforce modern authentication controls and are frequently used in password spraying attempts.
  3. Reset affected credentials. Any account that authenticated during the spray window should have its password reset and active sessions revoked.
  4. Check earlier activity. Review recent logs as part of a retro hunt and look for signs that access was already used on affected accounts, such as forwarding rules, OAuth access, or new MFA devices.
  5. User communication. Alert the workforce to report unexpected MFA prompts and treat any that were approved during the window as potentially compromised.

How to Prevent Password Spraying

Password spraying can be best stopped by making a guessed password not enough. These are various ways to achieve this:

Control

Description

MFA at all entry points

Makes a correct password only one part of the login decision.

Disable legacy protocols

IMAP, POP3, SMTP Auth, Basic Auth, EWS, and MAPI allow access without a second factor and should be removed.

Password policy

Block common and breached passwords; prioritize length over complexity.

Passkeys and passwordless authentication

Removes passwords entirely, leaving nothing to guess.

Conditional access

Allows or blocks logins based on device, location, and sign-in risk.

Geo and IP-based challenges

Flag or block access from unusual regions or anonymized networks.

Smart lockout and rate limiting

Track failures by account and source to distinguish probing from user mistakes.

Continuous monitoring

Correlate activity across accounts to identify patterns early.

Canary (unused) accounts

Login attempts against these can indicate directory probing.

User education

Avoid predictable passwords and never approve unexpected MFA prompts.

How Bitdefender Can Help

Bitdefender’s GravityZone unified platform focuses on the areas where password spraying is hardest to see, especially when attempts are distributed and stay below lockout thresholds.

Risk Management brings attention to the weak points these attacks rely on. This includes gaps in MFA enforcement and password-related risks, such as low complexity or the use of predictable patterns.

Authentication traffic is also monitored at the network level across services such as RDP, SMB, and SSH. Repeated login attempts can be identified and interrupted before they reach accounts.

On their own, failed logins look like normal user error. Across systems, they form a pattern. GravityZone EDR and XDR bring those signals together from endpoints, identity providers, and cloud services.

ITDR adds a dedicated view into identity activity, making it easier to spot login attempts spread across accounts, unusual access locations, and MFA prompts that were never initiated by the user.

Supposing that an account is taken over, PHASR steps in and dynamically restricts what it can reach. It limits access to sensitive systems, administrative tools, and lateral movement paths based on how the account is behaving.

Bitdefender Managed Detection and Response (MDR) offers continuous monitoring and threat hunting, so that patterns are detected faster, and support for rapid containment when needed is provided. Bitdefender Offensive Security Services can run controlled simulations. Penetration Testing and Red Teaming are methods that can stress-test defenses and expose gaps in the incident response readiness of the organization.

Does changing passwords every 90 days help?

Not as a routine control. Forced rotation leads users toward predictable patterns (Summer2024! becomes Autumn2024!), which are exactly what spray lists target. NIST SP 800-63B advises against arbitrary periodic expiration for this reason, recommending longer passphrases and banned password lists instead.

One compliance exception: PCI DSS v4.0 still requires 90-day rotation when a password is the sole authentication factor. MFA removes that requirement, which is one more argument for treating MFA as the baseline. Forced resets still make sense when there is confirmed evidence of compromise, but that is a response to a specific event, not a standing policy.

Is password spraying illegal?

Yes. Like any unauthorized access attempt, it doesn't matter that no vulnerability was exploited or that the passwords were just guesses; the act of attempting to log into accounts you have no right to access is enough. In the U.S., that falls under the CFAA; most EU member states have equivalent statutes.

How can I test my organization's vulnerability to password spraying?

The closest you can get to a real answer is to simulate the conditions of the attack, usually through an internal red team exercise or an external engagement. The value is not in whether access is obtained, but in how the activity is handled while it is happening.

What tends to matter more is how the environment reacts. Do authentication patterns stand out once they spread across accounts, how quickly does that reach the right team, and whether the response follows a clear path. In many cases, the more useful result is not a compromised account, but the points where the activity blends in.

Any test requires explicit written authorization and a defined scope before a single attempt is made.

Is a password spraying incident a reportable breach by law?

A password spraying attempt on its own is not automatically reportable, but a confirmed account compromise can trigger legal obligations. NIS2 expects organizations to issue an early warning (within 24 hours), followed by a formal notification (within 72 hours). GDPR follows a similar 72-hour disclosure window once a breach is confirmed. HIPAA allows up to 60 days for notification, but applies to a broad range of scenarios where unauthorized access to protected data is suspected.

Many of the controls that prevent this are the same ones these frameworks already require. MFA for access to sensitive systems appears in both NIS2 and PCI-DSS. NIST SP 800-63 has moved away from forced rotation toward blocking weak and previously exposed passwords. ISO 27001, SOC 2, and HIPAA all expect authentication logs to be detailed enough to reconstruct what happened and when, which in spraying cases usually means understanding how long the access went undetected before anyone noticed.

Does Zero Trust protect against password spraying attacks?

A successful login often opens access to more than it should. Once credentials are accepted, most systems stop asking questions. What Zero Trust does is change that behavior. Access does not rely on the password alone and is checked again after login. Device state, location, and sign-in patterns are taken into account before access is allowed. If a password is guessed, the account does not automatically reach everything. What it can access depends on those additional checks, which limits how far the activity can go.