How to protect your business against password spraying attacks 

In October 2021, the Microsoft Threat Intelligence Center (MSTIC) published a report noting that an Iranian-backed group of cyber criminals were “conducting extensive password spraying against more than 250 Office 365 tenants.” Cyber-security professionals will recognize the term “password spraying” as a particular type of automated brute-force attack where software attempts to log into a known user’s account using a list of common, easy-to-guess passwords. While there is a relatively happy ending to the MSTIC report (less than 8% of organizations targeted were actually compromised), the fact is that all organizations should be aware of password spraying attacks—and know the simple steps to take that can stop any password spraying attack in its tracks. =

What is password spraying (and why is it so successful)?

Password spraying is an extremely common method used by criminals to gain unauthorized access to connected devices and data. There are two simple reasons why so many cyber criminals use password spraying: 

1. Brute-force attacks are cheap and simple to execute – Any neophyte hacker can download a 100% no-cost software tool to conduct a password spraying attack. These tools are often preconfigured to carry out the password spray attack over a long period of time with an inhuman level of slow, methodical tenacity. Success with these tools does not require genius-level programming skills. And because the software can be hosted online for pennies per day, the risk-to-reward calculation is always in favor of the criminal. 

1. Usernames and passwords are often easy to figure out – Even though risk prevention firm Digital Shadows estimates that 15 billion usernames are available for sale on the dark web, the fact is almost every organization uses some form of “first name last name at company name dot com” as the username for their employee account logins. Criminals can often build a list of usernames to try in their password spray attacks for free. But the real problem is how there are still so many people who choose really terrible passwords to go with their usernames. Even after all the cyber-security adversity people experienced throughout 2020, NordPass cyber-security researchers found that the top password in the oft-targeted online retail industry was “password.” Weak passwords are the key factor in 81% of all hacking-related corporate data breaches in the Verizon 2020 Data Breach Report. 

Use these simple solutions to protect against password spraying

Amaxra cyber-security specialists use these three simple solutions to secure our small to midsized business customers’ information technology systems against password spray attacks: 

1. Eliminate passwords for your Microsoft 365 users – Amaxra recommends any organization using Microsoft Windows PCs and/or Microsoft Office applications to configure all of their account logins for passwordless authentication. As the name implies, Microsoft’s passwordless authentication eliminates the password from your login and uses alternate methods such as hardware-based biometric readers, the encrypted Microsoft Authenticator app for both Android and iOS mobile devices, or SMS text messages can be used to verify the user’s identity. The minimum requirement to implement passwordless authentication are the cloud-based Azure Active Directory (AD) identity and access management solution—which is free with any Microsoft 365 Business SKU. If you don’t have Microsoft 365 Business but do use Azure AD for identity and access management, you can set up passwordless authentication for all users in the Manage > Security > Authentication methods menu in your Azure AD admin center. Amaxra consultants typically set up our customers to use either the Microsoft Authenticator or SMS verification methods, but have seen an uptick in users wanting biometric methods such as Windows Hello cameras and fingerprint readers in the past year. 

1. Enable Multi-Factor Authentication (MFA) for all accounts – We’ve written about the virtues of enabling MFA in previous blog posts, and MFA is an excellent defense against password spray attacks. If you can’t set up passwordless authentication for whatever reason, then MFA is a great choice for protection. That’s because even if your users have obvious passwords, unauthorized access is prevented by the challenge-response nature of MFA. The typical criminal cannot fake user credentials when multiple authentication factors are in play. 

1. Limit access to critical systems and data on your corporate network – Corporate IT leaders are often pessimists who believe that breaches are inevitable. At a strategic level, limiting user access to apps and data is considered crucial because the more people in an organization who have access to sensitive data or systems, the more opportunities a cybercriminal has to gain access to those systems. Amaxra recommends restricting “admin access” across the board so much that we made it number seven in our list of Essential Eight cyber-security strategies. 

Amaxra helps you to secure your business IT

Password spray attacks are just one of the many methods cyber criminals can use to breach your organization and steal valuable data. Now that you know the best ways to combat password spray attacks, you should also learn about other proven cyber-security defense options for your business. Download the Amaxra “Securing Your Business” PDF to learn more about our managed cyber-security solutions that seamlessly integrate with your existing IT to empower a secure hybrid workforce.