Passwords are one of the most significant weaknesses in companies’ cybersecurity defenses. In theory, passwords protect access to corporate systems and resources because they are a long, random string of characters known only to the authorized user.

In reality, most user passwords are weak and easily guessable. In fact, password is the most common password — used by millions of people — and many of the most common passwords can be cracked by an attacker in less than a second.

In a password spraying attack, attackers take advantage of these weak and reused passwords by “spraying” them at an authentication portal. For many corporate accounts, the username is an email address or some variant, making it easy to determine valid usernames on a system. By attempting to log into a corporate system using valid usernames and a list of common passwords, the attackers bet on identifying an account protected by a weak or reused password.


Password spraying attacks are a common technique because they work. In our penetration testing engagements, we rarely find that an attack targeting weak credentials fails to provide access to at least one legitimate employee account.

Password Spraying and Microsoft Services

As companies move to the cloud, they receive a certain level of protection against password spraying and similar attacks. For cloud-hosted services such as Office 365 and Microsoft Azure, Microsoft identifies and blocks attempted password spraying attacks. As a result, companies may believe that their Microsoft solutions are immune to the threat.

However, many businesses also have legacy Microsoft authentication portals, such as Skype for Business or Microsoft Exchange. Often, these portals are hosted on company-managed infrastructure rather than in the cloud.

These self-hosted authentication portals lack the same protection as their cloud-based counterparts. As a result, they are an ideal target for cybercriminals performing a credential stuffing attack.

Impacts of a Password Spraying Attack

A successful password spraying attack results in the attacker gaining access to a legitimate user account. This access can be used in a variety of different ways, including:

  • Data Breach: An organization’s employees commonly have access to a great deal of sensitive information about the company and its customers. An attacker with access to a user’s account can abuse these access to collect and exfiltrate this sensitive data to sell, hold for ransom, or use in follow-on attacks.
  • Malware Delivery: Compromised user accounts are one of the most common means by which ransomware operators plant their malware on target systems. With access to a legitimate user account, the attacker can identify a system with high-value data, download the malware, and execute it without the need to identify and exploit a remote code execution (RCE) vulnerability.
  • Phishing Attacks: Most corporate anti-phishing training focuses on teaching users to differentiate between emails that originate from a trusted sender and ones that do not. An attacker with access to a trusted email account can use it to send phishing emails that the recipient is more likely to trust.

These are only a few examples of how an attacker can take advantage of access to a compromised employee account. With a user’s password, an attacker can theoretically perform any action or access any system that the account’s owner can.

Mitigating the Password Spraying Threat

Password spraying is a common attack vector because it is easy to perform and works well. Some ways that companies can reduce their exposure to password spraying attacks include the following:

  • Enforce Strong Passwords: Password spraying and similar attacks take advantage of the fact that many accounts are protected by weak and reused passwords. Requiring the use of strong, unique passwords can help to reduce vulnerability to a password spraying attempt.
  • Deploy Multi-Factor Authentication: Password spraying is automated and relies on passwords being the only factor used for authentication. Implementing strong multi-factor authentication (MFA) makes it harder for an attacker to test candidate passwords for a user’s account.
  • Remove Unneeded Authentication Portals: While cloud-based services may be protected against credential spraying, the same may not be true of self-hosted, legacy portals. Disabling unneeded portals reduces an organization’s attack surface.
  • Secure Authentication Portals: Credential spraying attacks involve a large volume of anomalous login attempts. Identifying and blocking these and other types of suspicious traffic from reaching authentication portals makes them more difficult to attack.
  • Implement Least Privilege: An attacker who successfully carries out a password spraying attack has full access to the compromised account. Limiting access and permissions based on zero trust principles limits the damage that can be done by a compromised account.
  • Perform Regular Penetration Tests: Penetration testing provides deep visibility into an organization’s vulnerabilities. Penetration testing can help to identify vulnerable authentication portals and weak passwords that could be targeted in password spraying attacks.

Identifying and Managing Password Spraying Risks

Password spraying attacks commonly target APIs and authentication portals that make it easy to automate logins. These portals may also be less visible to an organization, making it easier for them to be overlooked and forgotten.

Pentration testing provides companies with a means to identify these vulnerabilities and assess their risk to the organization. Pen test engagements commonly include scans for unsecured authentication mechanisms and user accounts with weak passwords that can be easily guessed or cracked.

Sprocket Security offers continuous penetration testing that provides companies with visibility into their evolving cyber risk exposure. A combination of human and automated penetration testing can help expose password spraying risks and other threats to corporate cybersecurity. Learn more by requesting a free quote today.