title: Microsoft 365 Password Spray Attack Detection (THREAT-M365-PasswordSpray)
id: df00tech-threat-m365-passwordspray
status: experimental
description: "Password spraying against Microsoft 365 / Entra ID remains one of the most effective initial access techniques against SMBs. Attackers use lists of valid corporate usernames (harvested from LinkedIn, HaveIBeenPwned, or prior breaches) and try a small number of common passwords (season+year, company name variations, Welcome1!) across all accounts — staying below per-account lockout thresholds. Microsoft documented Midnight Blizzard (Cozy Bear) using this to gain initial access to Microsoft corporate accounts in 2024. Storm-1152 (bulk account creation / credential fraud group) services this on behalf of other threat actors. NCSC UK has repeatedly warned about Iranian and Russian threat actors using password spraying against UK SMBs in critical sectors. The attack targets legacy authentication protocols (IMAP, SMTP, MAPI) and BasicAuth endpoints that bypass MFA — even if the organisation has MFA deployed for interactive sign-ins."
references:
  - https://attack.mitre.org/techniques/THREAT-M365-PasswordSpray/
  - https://df00tech.com/detections/THREAT-M365-PasswordSpray
author: df00tech
date: 2026/04/22
tags:
  - attack.threat-m365-passwordspray
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Misconfigured applications using a service account that have incorrect credentials and fail authentication across multiple tenants
  - Corporate password rotation events where many users have passwords expired simultaneously and attempt sign-in with old credentials
  - Load-balanced authentication infrastructure where many employees share an outbound NAT IP (adjust thresholds upward for organisations with NAT)
  - Vulnerability scanner credentials testing from a shared assessment IP during authorised penetration tests
level: high