title: VPN and Remote Access Credential Stuffing / Brute Force (THREAT-VPN-CredentialStuffing)
id: df00tech-threat-vpn-credentialstuffing
status: experimental
description: "Credential stuffing and brute force against VPN and remote access gateways is a persistent initial access vector for ransomware operators and nation-state actors. NCSC and CISA have repeatedly warned about Fortinet, Cisco ASA/FTD, Ivanti Connect Secure, Palo Alto GlobalProtect, and SonicWall VPN gateways being targeted. Attackers use credential databases from prior breaches and automated tools to test credentials at scale against VPN login portals. Unlike password spraying against M365, VPN credential stuffing often targets a single account at high frequency (bypassing account lockout through IP rotation) or uses a large pool of breached credential pairs. Volt Typhoon (China-nexus) specifically targets small business routers and VPN gateways for SOHO Living-off-the-Land access. Compromised VPN access gives attackers direct network access, bypassing perimeter defences entirely."
references:
  - https://attack.mitre.org/techniques/THREAT-VPN-CredentialStuffing/
  - https://df00tech.com/detections/THREAT-VPN-CredentialStuffing
author: df00tech
date: 2026/04/22
tags:
  - attack.threat-vpn-credentialstuffing
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate users with incorrect VPN credentials due to recent password change (brief surge then success with new credentials)
  - Misconfigured VPN clients that retry with old credentials on every connection attempt
  - Automated backup or monitoring systems with outdated credentials attempting VPN authentication
  - "Multiple users behind a shared corporate NAT connecting to VPN simultaneously (same source IP, multiple users)"
level: high