A password spraying attack tries one or a few common passwords across many accounts, usually slowly enough to avoid normal account-lockout rules. It is not the same as brute forcing one user. The attacker goes wide: email accounts, Microsoft 365 tenants, VPN logins, RDP, SSO portals, and old accounts that still accept weak passwords.
Password spraying in one minute
- Pattern: one password against many usernames, then another password after a delay.
- Victims notice: unexpected MFA prompts, account-lock emails, unfamiliar sign-in alerts, or an admin telling them their account showed failed logins.
- Admin signal: failed sign-ins spread across many users from the same IP range, proxy, hosting provider, country, or repeated user-agent pattern.
- Best defense: phishing-resistant MFA, banned-password protection, legacy-auth blocking, sign-in risk alerts, and removal of stale accounts.
Password spraying vs credential stuffing vs brute force
| Attack | How to tell it apart |
|---|---|
| Password spraying | Many usernames receive the same small set of common password guesses. The campaign may run slowly to stay below lockout thresholds. |
| Credential stuffing | The attacker reuses leaked username and password pairs from breaches. Successful logins often come from unusual locations or automation infrastructure. |
| Classic brute force | One account receives many password guesses quickly, often triggering lockout or rate-limit controls. |
This distinction matters because a sprayed tenant can look like background login noise until one weak or forgotten account succeeds. A broad guide to password attacks is useful for context, but this page should be treated as the focused password-spray checklist.
Common signs of a password spray attack
- Failed sign-ins across many valid users, not just one noisy account.
- Attempts against disabled, old, guest, service, shared mailbox, or test accounts.
- Login attempts from unfamiliar countries, data centers, residential proxies, VPN nodes, or Tor-like infrastructure.
- Regular timing between attempts, such as one wave per hour or per lockout window.
- Repeated guesses that match seasonal, company-themed, welcome, or default-password patterns.
- Successful sign-in followed by new inbox rules, forwarding, OAuth consent, MFA changes, password reset attempts, or access to sensitive files.
- Users reporting unexpected MFA prompts or “someone tried to sign in” messages when they were not logging in.
Where to check in Microsoft 365 and Entra
For Microsoft 365 and Microsoft Entra ID, look beyond one user’s failure count. Password spraying is a cross-account pattern, so aggregate views are more useful than a single account timeline.
| Place to look | What to check |
|---|---|
| Entra sign-in logs | Many users hit by similar failures, same IP ranges, same client app, same country, same user agent, or repeated timing. |
| Identity Protection risk | Password spray, unfamiliar sign-in properties, risky IP, or user-risk detections that appear after a successful credential validation. |
| Exchange and mailbox audit logs | New forwarding rules, suspicious inbox rules, OAuth app grants, delegated access, or unusual mailbox search/export activity. |
| Endpoint and browser signals | Downloaded files, browser extensions, session theft symptoms, or suspicious local activity after an account was accessed. |
What to do if your account was targeted
- Change the password from the official login page, not from an email link.
- Use a unique password that is not reused on any other site. A password manager makes this easier; see our guide to storing passwords securely.
- Turn on MFA. Prefer app-based, passkey, hardware-key, or number-matching options over SMS where possible.
- Review recovery email, phone, active sessions, connected devices, and recent security events.
- Sign out of all sessions after changing the password.
- Tell your IT/security team about unexpected MFA prompts, password reset emails, or account-lock alerts.
- If you also clicked a link, installed a file, or saw suspicious browser behavior, scan the device and remove malware before trusting the new password.
How administrators can stop password spraying
- Require MFA for email, SSO, VPN, admin, finance, cloud, and remote-access accounts.
- Block common passwords and company-specific weak patterns such as season, brand, city, year, and welcome-password variants.
- Disable legacy authentication and old protocols that do not support modern controls.
- Use conditional access, sign-in risk rules, impossible-travel checks, and IP reputation where available.
- Harden account lockout carefully. A lockout policy helps, but attackers often throttle spray attempts to avoid it.
- Remove or monitor stale accounts, former employee accounts, guest accounts, shared accounts, and old service identities.
- Alert on cross-account failure patterns: many users, same infrastructure, same client app, same timing, or a successful login after failed waves.
- After a confirmed success, revoke sessions and refresh tokens, reset credentials, review MFA methods, check mailbox rules, and inspect cloud app grants.
About password spraying tools
Some searchers look for “password spraying tools” because they are testing their own defenses; others are looking for offensive automation. Do not run spray tools against accounts unless you have written authorization and a controlled test plan. For normal defense, you do not need an offensive tool first. Start with logs, weak-password cleanup, MFA coverage, legacy-auth exposure, and a small detection rule that catches the cross-account pattern.
When it is not password spraying
- One user gets hundreds of guesses in minutes: treat it as brute force or targeted guessing.
- Successful logins appear with exact leaked passwords: investigate credential stuffing and breach reuse.
- Only one user reports repeated MFA prompts after entering credentials on a fake page: investigate phishing and session theft.
- Sign-ins come from a known corporate VPN or SSO migration: verify before blocking, because false positives are possible during rollouts.
Related: Password Attacks, Strong Passwords in 2026, Is a Password Manager Safe?, Microsoft Account Locked
FAQ
Is password spraying the same as credential stuffing?
No. Password spraying tests a small set of common passwords across many accounts. Credential stuffing tests known leaked username/password pairs against new services.
Does MFA stop password spraying?
MFA greatly reduces account takeover risk, but it does not make the attack disappear. A successful password guess can still produce MFA fatigue, user-risk alerts, and post-login investigation work.
Why do attackers target old accounts?
Old accounts are often missed by MFA rollouts, use weak passwords, or retain access that nobody reviews. They are also less likely to be noticed by the real user.
What should I do after an unexpected MFA prompt?
Deny the prompt, change the password from the official site, review recent sign-ins, sign out of all sessions, and report it to your IT or security team.
References
- Microsoft Learn. “Alert classification for suspicious IP addresses related to password spray attacks.” Microsoft Defender XDR, accessed June 8, 2026. https://learn.microsoft.com/en-us/defender-xdr/alert-classification-suspicious-ip-password-spray
- Microsoft Learn. “What are risk detections?” Microsoft Entra ID Protection, accessed June 8, 2026. https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks
- MITRE ATT&CK. “Brute Force: Password Spraying, Sub-technique T1110.003.” MITRE, accessed June 8, 2026. https://attack.mitre.org/techniques/T1110/003/
