title: Password Spraying (T1110.003)
id: df00tech-t1110-003
status: experimental
description: "Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. This technique is deliberately throttled to avoid triggering per-account lockout thresholds — the defining characteristic that distinguishes spraying from brute force (T1110.001). Adversaries including APT28, APT29, HAFNIUM, Storm-0940, Chimera, and APT33 have used this technique at scale against OWA, Microsoft 365, VPN portals, SSH, RDP, SMB, and LDAP. Slow-spray variants (approximately 4 attempts per account per hour) are specifically designed to evade detection thresholds, and Kerberos-based spraying is used to avoid generating the high-visibility Event ID 4625 typically alerted on."
references:
  - https://attack.mitre.org/techniques/T1110/003/
  - https://df00tech.com/detections/T1110.003
author: df00tech
date: 2026/04/17
tags:
  - attack.t1110.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Misconfigured service accounts using stale credentials that authenticate against multiple systems simultaneously during a configuration failure event
  - Authorized penetration testing or red team exercises targeting multiple accounts with common passwords from a designated test IP
  - ADFS or federated identity proxy services whose single IP proxies authentication for all federated users — these IPs will appear as the source for all federation failures
  - "Vulnerability scanners (Tenable, Qualys, Rapid7) performing authenticated scans with cycling credentials across multiple hosts"
  - Password synchronization failures during Active Directory migrations or forest trust establishment generating bulk 4625 events from the migration service account IP
level: high