Which SIEM platforms have a THREAT-M365-PasswordSpray detection rule?

df00tech provides THREAT-M365-PasswordSpray (Microsoft 365 Password Spray Attack Detection) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the THREAT-M365-PasswordSpray detection?

The THREAT-M365-PasswordSpray detection is rated high severity with high confidence.

What are common false positives for THREAT-M365-PasswordSpray?

Common false positives for THREAT-M365-PasswordSpray include: Misconfigured applications using a service account that have incorrect credentials and fail authentication across multiple tenants; Corporate password rotation events where many users have passwords expired simultaneously and attempt sign-in with old credentials; Load-balanced authentication infrastructure where many employees share an outbound NAT IP (adjust thresholds upward for organisations with NAT).

THREAT-M365-PasswordSpray Elastic Security · Elastic

Detect Microsoft 365 Password Spray Attack Detection in Elastic Security

Q: What data sources are required to detect Microsoft 365 Password Spray Attack Detection (THREAT-M365-PasswordSpray)?

Detecting Microsoft 365 Password Spray Attack Detection requires the following data sources: Azure AD Sign-In Logs (AADSignInLogs), Microsoft 365 Defender Sign-In Activity, Azure Sentinel UEBA.

Password spraying against Microsoft 365 / Entra ID remains one of the most effective initial access techniques against SMBs. Attackers use lists of valid corporate usernames (harvested from LinkedIn, HaveIBeenPwned, or prior breaches) and try a small number of common passwords (season+year, company name variations, Welcome1!) across all accounts — staying below per-account lockout thresholds. Microsoft documented Midnight Blizzard (Cozy Bear) using this to gain initial access to Microsoft corporate accounts in 2024. Storm-1152 (bulk account creation / credential fraud group) services this on behalf of other threat actors. NCSC UK has repeatedly warned about Iranian and Russian threat actors using password spraying against UK SMBs in critical sectors. The attack targets legacy authentication protocols (IMAP, SMTP, MAPI) and BasicAuth endpoints that bypass MFA — even if the organisation has MFA deployed for interactive sign-ins.

MITRE ATT&CK

Tactic: Credential Access

Elastic Detection Query

Elastic Security (Elastic)

eql

sequence by source.ip with maxspan=30m
  [authentication where event.dataset == "azure.signinlogs" and
   event.outcome == "failure" and
   azure.signinlogs.properties.status.error_code in (50126, 50053, 50055)] with runs=20

high severity high confidence

EQL detection for password spray: 20 or more authentication failures from the same source IP within 30 minutes — the basic spray threshold.

Data Sources

Elastic Azure AD integration

Required Tables

logs-azure.signinlogs-*

False Positives & Tuning

NAT environments
Misconfigured apps

Download portable Sigma rule (.yml)

Other platforms for THREAT-M365-PasswordSpray

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1M365 Password Spray via AADInternals (Low-Slow)
Expected signal: Azure AD Sign-in logs record authentication failures (error code 50126) for each user/password combination tested. Multiple users from single IP within short window.

Last updated: 2026-04-22 Research depth: deep

References (5)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for THREAT-M365-PasswordSpray including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1110.003Password Spraying

Related Techniques

T1110.003Password Spraying T1078.004Cloud Accounts T1133External Remote Services T1110.001Password Guessing T1566Phishing

Detect Microsoft 365 Password Spray Attack Detection in Elastic Security

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for THREAT-M365-PasswordSpray

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Techniques

Same Tactic: Credential Access

Popular Detections

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for THREAT-M365-PasswordSpray

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Techniques

Same Tactic: Credential Access

Popular Detections

Get new detections in your inbox