Skip to main content
close search
site logo
Dive Brief

Attackers wield password-spray attacks to zero-in on targets, research finds

The highly effective brute-force attack method requires little effort, Trellix said. Organizations with weak password policies or no MFA are especially at risk.

Published Nov. 20, 2024
Matt Kapko's headshot
Senior Reporter
Hand grabbing password out of blurred code.
LuisPortugal/Getty Images Plus via Getty Images

Dive Brief:

  • Password-spray attacks yielded prolific results for attackers across multiple sectors in North America and Europe during Q2 and Q3, the Trellix Advanced Research Center said in a Wednesday research report.
  • The attack surface for password-spray attacks is vast, Trellix found. Attackers commonly target cloud-based systems, including Microsoft 365, Okta, Google Workspace, VPNs, Windows Remote Desktop, AWS, Google Cloud Platform and Microsoft Azure.
  • Attackers most frequently targeted password-spray attacks at education, energy and transportation organizations during the six-month period, the report found.

Dive Insight:

Password-spray attacks aren’t just a low lift and effective brute-force attack method for threat groups, Trellix researchers said. This mode of attack is difficult to detect and attribute to threat groups because they’re often run continuously in the background at scale across broadly distributed botnets.

This low risk of detection and high return on investment gives attackers an advantage, especially when they target organizations with weak password policies or systems without multifactor authentication.

The Russia-linked threat group Midnight Blizzard gained a foothold in Microsoft’s senior executives email accounts last year after it compromised a legacy, non-production test tenant account through a password-spray attack.

Midnight Blizzard used that access to steal Microsoft executive emails and other documents. The password-spray attack began in late November and Microsoft didn’t discover the attack until Jan. 12.

Threat groups can target organizations with password-spray attacks after obtaining usernames or inferring username naming patterns and correlating that data against a list of employees, Trellix researchers said in the report.

With those account IDs, attackers can use multiple “proxy or VPN nodes to continuously try a large list of passwords against each account over a long period of time,” the report said.

MFA is routinely cited as a prevention measure against identity-based attacks. Yet, Trellix said it expects attackers to continue bypassing MFA with social engineering.

“We will likely see more automated, AI-driven/assisted methods making password-spray attacks more efficient, evasive and adaptive,” the report said.

Filed Under: Cyberattacks

Editors' picks

Company Announcements

View all | Post a press release
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Editors' picks
Latest in Cyberattacks
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell