THREAT-M365-PasswordSpray Google Chronicle · YARA-L

Detect Microsoft 365 Password Spray Attack Detection in Google Chronicle

Password spraying against Microsoft 365 / Entra ID remains one of the most effective initial access techniques against SMBs. Attackers use lists of valid corporate usernames (harvested from LinkedIn, HaveIBeenPwned, or prior breaches) and try a small number of common passwords (season+year, company name variations, Welcome1!) across all accounts — staying below per-account lockout thresholds. Microsoft documented Midnight Blizzard (Cozy Bear) using this to gain initial access to Microsoft corporate accounts in 2024. Storm-1152 (bulk account creation / credential fraud group) services this on behalf of other threat actors. NCSC UK has repeatedly warned about Iranian and Russian threat actors using password spraying against UK SMBs in critical sectors. The attack targets legacy authentication protocols (IMAP, SMTP, MAPI) and BasicAuth endpoints that bypass MFA — even if the organisation has MFA deployed for interactive sign-ins.

MITRE ATT&CK

Tactic
Credential Access

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule m365_password_spray_t1110_003 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects M365/Entra ID password spray: 20+ auth failures targeting 10+ unique accounts from the same source IP within 30 minutes"
    mitre_attack_technique = "T1110.003"
    severity = "HIGH"
    confidence = "HIGH"

  events:
    $e.metadata.event_type = "USER_LOGIN"
    $e.security_result.action = "FAIL"
    $e.metadata.product_name = "Azure AD"
    $e.principal.ip = $src_ip
    $e.target.user.email_addresses[0] = $user

  match:
    $src_ip over 30m

  condition:
    #e >= 20 and #user >= 10
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting password spray against Microsoft 365 by aggregating authentication failures per source IP in 30-minute windows.

Data Sources

Google Chronicle Azure AD ingestion

Required Tables

UDM Events (USER_LOGIN)

False Positives & Tuning

  • NAT environments
  • Misconfigured service accounts
Download portable Sigma rule (.yml)

Other platforms for THREAT-M365-PasswordSpray

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1M365 Password Spray via AADInternals (Low-Slow)

    Expected signal: Azure AD Sign-in logs record authentication failures (error code 50126) for each user/password combination tested. Multiple users from single IP within short window.

Last updated: 2026-04-22 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for THREAT-M365-PasswordSpray including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1110.003Password Spraying

Related Techniques

T1110.003Password SprayingT1078.004Cloud AccountsT1133External Remote ServicesT1110.001Password GuessingT1566Phishing

Same Tactic: Credential Access

Popular Detections