Password Spraying Attack Detection

AuthenticationAttacks Multi-Platform Password Spraying

What This Means

Detect password spraying attacks across your authentication infrastructure. Learn the patterns that distinguish spraying from brute force and how to protect against this stealthy attack technique.

Example Log

-- Windows Event 4625 pattern showing password spraying:
Event 4625: Account Name: jsmith    Source IP: 203.0.113.50   Time: 14:22:01
Event 4625: Account Name: mwilson   Source IP: 203.0.113.50   Time: 14:22:03
Event 4625: Account Name: klee      Source IP: 203.0.113.50   Time: 14:22:05
Event 4625: Account Name: dgarcia   Source IP: 203.0.113.50   Time: 14:22:07
Event 4625: Account Name: tchen     Source IP: 203.0.113.50   Time: 14:22:09
-- Note: Only 1 attempt per account (avoids lockout threshold)

Indicators of Suspicious Activity

Single failure per account from the same source IP (stays below lockout threshold)
Many different accounts failing within a short window from one source
Failures concentrated on a single common password (e.g., "Spring2026!")
Attack timing shows regular intervals between attempts (automated tooling)
Targeted accounts often follow a pattern (all from same department or OU)
No account lockouts despite widespread authentication failures

How to Investigate

Aggregate failed logons by source IP across all accounts over a sliding time window
Look for single-failure-per-account patterns (the hallmark of password spraying)
Check if any targeted accounts subsequently had a successful logon from the same source
Review the targeted account list for patterns (alphabetical, same OU, specific roles)
Correlate across authentication protocols — attackers may spray NTLM, Kerberos, and web apps
Check Azure AD sign-in logs if hybrid identity is in use

Recommended Mitigations

Implement smart lockout that tracks failed attempts by IP, not just by account
Enforce banned password lists to prevent users from choosing commonly sprayed passwords
Require MFA for all accounts — this defeats password spraying even if credentials are correct
Deploy Azure AD Password Protection or similar to block common passwords
Alert on patterns of single failures across many accounts from one IP
Implement progressive delays between authentication attempts per source IP

Scan This Log Instantly

Paste a suspicious log line below and get an instant AI-powered security assessment.

0 / 2000

What is 6 + 1?

Need a Full Investigation?

Scan entire log files, detect attack patterns, reconstruct timelines, and generate a full investigation report.

Run Smart Scan

Related Log Types

Related Attack Patterns

Frequently Asked Questions

How is password spraying different from brute force? ▼

Brute force tries many passwords against one account. Password spraying tries one or two passwords against many accounts. Spraying avoids lockout thresholds by staying under the attempt limit per account.

Why is password spraying hard to detect? ▼

Each individual account sees only 1-2 failures, which looks like a normal typo. The attack is only visible when you aggregate failures across all accounts by source IP or by time window.

What passwords do attackers spray? ▼

Attackers use commonly chosen passwords like Season+Year (Summer2026!), company name variations, Password1!, Welcome1, and other patterns from leaked password databases.