When One Password Breaks a Hundred Accounts: Detecting Password Spray Before the Damage Compounds

The Assumption That Gets Security Teams Burned

Most security teams configure their account lockout policies, point to their SIEM dashboards, and consider password spray attacks a solved problem. The logic sounds reasonable: if an attacker tries too many passwords against one account, the lockout triggers. If the SIEM sees too many failed logins from one IP, an alert fires. Detection handled.

That assumption is precisely why password spray remains one of the most consistently successful initial access techniques in enterprise environments. The 0ktapus threat group, which compromised over 130 organizations in a coordinated campaign, relied heavily on credential-based attacks against identity providers rather than exploiting exotic vulnerabilities. The technique works not because defenders lack tools, but because the detection logic is built around the wrong behavioral model.

Password spray attacks invert the classic brute force pattern. Instead of hammering many passwords against one account, attackers try one common password against many accounts. The attack stays below per-account lockout thresholds while distributing enough failed attempts across enough accounts that no single indicator looks alarming in isolation. Understanding this inversion is the foundation of everything that follows.

What a Real Password Spray Campaign Actually Looks Like

Before building detection logic, security teams need an accurate mental model of attacker behavior. Modern password spray campaigns have evolved well beyond simple scripts running from a single IP address.

In practice, attackers using spray techniques will:

• Space authentication attempts across 20-to-60-minute intervals per account to avoid velocity-based triggers
• Distribute requests across dozens or hundreds of IPs sourced from residential proxy networks, cloud providers, or compromised infrastructure
• Target federated authentication endpoints, legacy protocol handlers like IMAP and SMTP, and API-based authentication rather than the primary login portal where MFA is enforced
• Use valid usernames harvested from LinkedIn, company directories, email patterns, and data breach repositories
• Prioritize high-value accounts including service accounts, shared mailboxes, and administrator accounts that are less likely to have MFA enforced

State-sponsored groups have refined these techniques extensively. The Kimsuky group, known for targeting research institutions and government organizations, has used credential spraying as a precursor to deploying tools like PebbleDash. The initial spray gets them valid credentials; the subsequent tooling does the persistent damage. Treating the spray as the primary threat misses the point. The spray is reconnaissance and access in one step.

Q1 2026 ransomware incident data continues to show that a significant portion of ransomware intrusions begin with valid credentials obtained through spray attacks or credential stuffing against remote access infrastructure. The attacker arrives authenticated, which means many endpoint and network controls see normal traffic until lateral movement begins.

Where Most Detection Architectures Fall Short

The standard detection approach relies on per-account failed login thresholds and source IP reputation blocking. Both have structural weaknesses against modern spray campaigns.

Per-account thresholds work when attackers target accounts repeatedly. When an attacker tries one password per account across a thousand accounts, each account generates a single failed login event. No threshold triggers. The aggregate picture, a thousand failed authentications across a thousand accounts within a two-hour window, is damning. The per-account view is invisible.

Source IP blocking fails when attackers rotate through residential proxies or compromised cloud infrastructure. A spray campaign sourced from 500 different residential IPs generates one failed attempt per source IP. IP reputation systems may flag some of those IPs, but residential proxy pools are refreshed constantly. Blocking based on IP alone is a game attackers win by default because the economics of IP rotation favor the attacker.

Legacy authentication protocols create additional blind spots. Organizations that have enforced MFA on their primary login portals often leave IMAP, POP3, SMTP authentication, and legacy Exchange ActiveSync endpoints accessible without MFA enforcement. These endpoints accept credentials directly and bypass conditional access policies. Attackers know this and target these endpoints specifically. The authentication telemetry from these protocols frequently flows into separate log sources or is aggregated differently in SIEMs, creating gaps in the holistic view.

Building Detection Logic Around the Actual Attack Pattern

Effective password spray detection requires shifting the unit of analysis from the account and the source IP to the authentication environment as a whole over time.

Aggregate Failed Authentication Rate Baselines

Start by establishing what normal looks like across your entire authentication infrastructure over a rolling 30-day baseline. Calculate the average number of failed authentication events per hour, broken down by authentication endpoint type, geographic region, and time of day. Deviations from this baseline, particularly sustained elevations lasting 30 minutes or more, warrant investigation even when no individual account or IP crosses a threshold.

This baseline approach requires clean telemetry aggregation. Authentication events from Azure AD, on-premises Active Directory, LDAP, legacy exchange endpoints, VPN authentication, and SSO providers should feed a unified view. If your SIEM is consuming these sources separately without correlation, you have a structural detection gap.

The Account Diversity Signal

One of the most reliable indicators of password spray activity is high account diversity in failed authentications from a common source or within a short time window. A legitimate user failing authentication generates repeated failures against one account. A spray campaign generates one or two failures against many distinct accounts.

Build a detection rule that calculates the ratio of unique accounts targeted to total failed authentication events over rolling 15-minute and 60-minute windows. A ratio approaching 1.0, meaning almost every failure involves a different account, combined with a total failure count above a threshold calibrated to your baseline, is a high-fidelity spray indicator. This signal holds even when attackers distribute across source IPs, because the account diversity pattern persists regardless of how many source addresses they use.

Implementation in most SIEM platforms involves a time-windowed aggregation query. In Splunk, this looks like aggregating authentication failure events by source IP or subnet, counting distinct users targeted, and alerting when the distinct user count exceeds a configured threshold relative to the time window. In Microsoft Sentinel, the equivalent uses KQL with a summarize dcount(UserPrincipalName) over a defined window joined against a baseline threshold.

Temporal Spacing as an Attacker Fingerprint

Automated spray tools introduce consistent timing between attempts to avoid triggering velocity-based controls. This consistency is detectable. When you observe failed authentication attempts against multiple accounts spaced at near-identical intervals, particularly intervals in the 20-to-90-second range repeated across hundreds of accounts, you are likely looking at automated spray activity.

Detecting this requires timestamp analysis at a granularity most default SIEM rules ignore. Build a query that extracts inter-event timing for authentication failures from each source IP or authenticated session context, then flag sources where the standard deviation in inter-attempt timing is unusually low. Human users generate irregular timing patterns. Spray tools generate regular ones.

Protocol-Specific Monitoring for Legacy Authentication

Legacy authentication endpoints deserve dedicated detection because MFA cannot protect them and because attackers specifically seek them out. Enable diagnostic logging for all legacy protocol authentication in your environment, including Exchange Online legacy auth even if you believe it is disabled. Misconfiguration and shadow IT can leave these endpoints active.

Monitor specifically for: successful authentications via legacy protocols where the authenticating user would normally use modern authentication, authentication attempts against legacy endpoints from IPs with no prior relationship to those accounts, and bursts of IMAP or SMTP authentication attempts against a high number of distinct accounts within a short window.

Microsoft's sign-in logs differentiate between modern and legacy authentication in the client app field. Azure AD Conditional Access policies can enforce blocking of legacy authentication, but detection should precede or accompany enforcement to catch gaps and provide forensic visibility.

Contextual Enrichment That Changes Alert Triage

Raw detection signals generate alerts. Contextual enrichment determines which alerts get acted on and how fast. For password spray detection specifically, several enrichment dimensions materially improve triage quality.

Account Privilege Context

A failed spray attempt targeting standard user accounts and a failed spray attempt targeting service accounts and administrator accounts represent very different risk levels. Integrate your identity provider's privilege tier information with authentication event data so alerts include account sensitivity context. A detection rule that fires against 50 standard user accounts gets medium priority. The same rule firing against accounts with privileged roles or service account patterns gets immediate escalation.

Geographic and ASN Consistency

Authentication from an ASN or geographic region with no prior history for a given account or set of accounts adds weight to a spray detection signal. This enrichment works best when combined with other signals rather than used as a standalone trigger, since residential proxy networks can present domestic-looking IPs for geographically remote attackers. Cross-reference ASN ownership type, residential versus datacenter versus hosting provider, as a risk weighting factor in alert scoring.

Post-Authentication Behavior Correlation

The most operationally important enrichment step is correlating spray detection with subsequent successful authentications. When a spray campaign is detected, immediately query for successful authentication events from any of the involved source IPs or against any of the targeted accounts within the preceding and following hour. A spray detection becomes a confirmed breach indicator if any of those source IPs achieved a successful login, even to a different account than those showing failures.

This correlation is frequently the step that separates a security team that catches the intrusion during the spray phase from one that discovers the breach weeks later during the ransomware deployment phase.

Operational Response When Detection Fires

Detection without a practiced response workflow generates alerts that age in a queue. Password spray alerts require time-sensitive response because the window between successful credential validation and first lateral movement can be short.

Immediate Triage Steps

1. Confirm the alert is consistent with spray pattern indicators: high account diversity in failures, distributed or repeating source IPs, legacy protocol involvement if present.
2. Query for successful authentications matching the spray's source IPs or targeted accounts within the detection window. This is your highest priority question.
3. Identify whether any successfully authenticated accounts have since performed privileged actions, accessed sensitive resources, created new sessions, or made configuration changes.
4. Pull the full account list targeted in the spray and cross-reference against privileged identity, service account, and sensitive data access inventories.

Containment Actions Calibrated to Confidence

High-confidence spray detection with no confirmed successful authentications warrants: temporary geo-blocking or rate limiting on the source IP ranges identified, forced MFA re-prompt for targeted accounts at next authentication, and notification to account owners for awareness.

High-confidence spray detection with confirmed successful authentications warrants: immediate session revocation for compromised accounts, forced password reset, MFA re-enrollment, privileged account audit across the environment, and initiation of incident response procedures including forensic review of affected account activity.

Avoid the temptation to silently monitor a confirmed spray hoping to gather attacker intelligence unless you have the operational maturity and legal clarity to run a controlled observation. In most enterprise environments, the risk of lateral movement during observation outweighs the intelligence value of watching the attacker move.

Detection Testing and Continuous Validation

Detection rules that fire during testing often fail silently in production as authentication infrastructure changes, new identity providers are onboarded, or logging configurations drift. Password spray detection specifically requires regular validation because it depends on telemetry aggregation from multiple sources being consistent and complete.

Conduct quarterly purple team exercises that simulate spray attack patterns using a controlled set of test accounts. Verify that the spray simulation generates the expected telemetry in your SIEM, that the detection rules fire within the expected time window, and that alerts reach the correct analyst queue with appropriate enrichment. Document where telemetry gaps appear, as these are the attack surfaces your current detection architecture cannot see.

NIST's NVD enrichment policy shift toward prioritizing vulnerabilities with attacker behavior signals reflects a broader industry recognition that detection effectiveness depends on behavioral modeling rather than static signatures. The same principle applies here: your password spray detection is only as good as its alignment with how real spray campaigns actually behave, and that alignment requires continuous testing against current attacker techniques.

Hardening Measures That Reduce Spray Viability

Detection works best when paired with measures that make the attack harder to execute successfully. Several hardening steps directly reduce spray attack surface without requiring detection logic improvements.

• Eliminate legacy authentication endpoints. Audit all authentication pathways in your environment, including those created by third-party integrations and shadow IT, and disable legacy protocol support where it is not operationally required. This removes the attacker's preferred MFA bypass route.
• Enforce Entra ID or equivalent smart lockout policies. Cloud-scale lockout mechanisms use behavioral signals beyond simple failure counts and can detect spray patterns across the identity provider's global tenant visibility, not just your organization's events.
• Implement FIDO2 or certificate-based authentication for privileged accounts. These authentication methods are resistant to credential spray by design because the credential is never transmitted in a form that spray tools can use.
• Reduce valid username discoverability. Authentication error messages that differentiate between invalid username and invalid password help attackers validate their username lists. Standardize error messages to provide no enumeration signal.
• Deploy Entra ID Password Protection or equivalent. Block commonly sprayed passwords, including seasonal variations, company name derivatives, and entries from published common password lists, at the directory level.

The Telemetry Foundation Everything Depends On

Every detection capability described in this article depends on comprehensive, consistent authentication telemetry. The most sophisticated detection logic produces nothing when the underlying log data is incomplete.

Audit your authentication telemetry coverage against this checklist: Azure AD or Entra ID sign-in logs including legacy authentication events, on-premises Active Directory authentication events from domain controllers, LDAP authentication logs if in use, VPN authentication logs correlated with Active Directory identity context, SSO provider logs for all federated applications, and email protocol authentication logs for Exchange or equivalent.

Verify that timestamps across these sources are consistent enough for correlation, that usernames are normalized to a common format across sources, and that source IP fields are populated and accurate. Log sources that arrive in your SIEM without source IP, with NAT addresses that obscure external sources, or with inconsistent user identifier formats will silently undermine correlation-based detection rules.

Security teams that invest in telemetry quality before building detection rules consistently achieve better outcomes than teams that build sophisticated rules on top of incomplete data. The attack will come. Whether you see it before the damage compounds depends on whether the data was there to see it in the first place.