Detect Microsoft 365 Password Spray Attack Detection in Splunk
Password spraying against Microsoft 365 / Entra ID remains one of the most effective initial access techniques against SMBs. Attackers use lists of valid corporate usernames (harvested from LinkedIn, HaveIBeenPwned, or prior breaches) and try a small number of common passwords (season+year, company name variations, Welcome1!) across all accounts — staying below per-account lockout thresholds. Microsoft documented Midnight Blizzard (Cozy Bear) using this to gain initial access to Microsoft corporate accounts in 2024. Storm-1152 (bulk account creation / credential fraud group) services this on behalf of other threat actors. NCSC UK has repeatedly warned about Iranian and Russian threat actors using password spraying against UK SMBs in critical sectors. The attack targets legacy authentication protocols (IMAP, SMTP, MAPI) and BasicAuth endpoints that bypass MFA — even if the organisation has MFA deployed for interactive sign-ins.
MITRE ATT&CK
- Tactic
- Credential Access
SPL Detection Query
index=azure sourcetype="azure:aad:signin"
properties.status.error_code IN (50126, 50053, 50055, 50056, 50064)
| eval src_ip=properties.ip_address
| eval user=properties.user_principal_name
| bin _time span=30m
| stats
count AS FailureCount,
dc(user) AS UniqueUsers,
values(user) AS TargetedUsers,
values(properties.status.error_code) AS ErrorCodes,
values(properties.app_display_name) AS Applications
BY src_ip, _time
| where UniqueUsers >= 10 AND FailureCount >= 20
| appendpipe
[| search FailureCount >= 50
| eval Severity="CRITICAL" | eval SprayType="HighVolume"]
| eval Severity=if(isnull(Severity),
if(UniqueUsers >= 20, "HIGH", "MEDIUM"), Severity)
| eval SprayType=if(isnull(SprayType), "LowSlow", SprayType)
| eval ThreatActors="Midnight Blizzard, Storm-1152, Iranian APT"
| eval CVERef="T1110.003"
| table _time, src_ip, UniqueUsers, FailureCount, TargetedUsers,
ErrorCodes, Applications, Severity, SprayType
| sort - FailureCountSPL password spray detection for M365. Aggregates authentication failures by source IP in 30-minute windows and alerts when 10+ unique accounts are targeted from a single IP with 20+ total failures. The Splunk appendpipe escalation distinguishes high-volume spray from low-slow spray campaigns.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Large NAT environments where many users share an outbound IP — tune UniqueUsers threshold upward
- Multi-tenant application service accounts authenticating multiple tenants from same IP
- Emergency bulk password reset processes following a breach notification
Other platforms for THREAT-M365-PasswordSpray
Testing Methodology
Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1M365 Password Spray via AADInternals (Low-Slow)
Expected signal: Azure AD Sign-in logs record authentication failures (error code 50126) for each user/password combination tested. Multiple users from single IP within short window.
References (5)
- https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/
- https://www.ncsc.gov.uk/guidance/spray-attacks
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
- https://attack.mitre.org/techniques/T1110/003/
- https://github.com/dafthack/MSOLSpray
Unlock Pro Content
Get the full detection package for THREAT-M365-PasswordSpray including response playbook, investigation guide, and atomic red team tests.