Cyber criminals utilize password-spray techniques to home in on specific victims, according to new research.
In a recent report by the Trellix Advanced Research Center, an increase in password-spray attacks has been observed across multiple sectors in North America and Europe during the second and third quarters of the year. One notable instance of such an attack was carried out by the Russia-linked threat group Midnight Blizzard, who gained access to Microsoft's senior executives' email accounts last year.
Password-spray attacks are a stealthy and scalable approach used by threat actors to compromise multiple accounts. Instead of targeting one account with many password guesses, attackers use the same password(s) across a broad list of usernames, limiting attempts to avoid account lockouts and distributing attempts over time and IP addresses to evade detection.
Attackers select a small list of predictable passwords, often including common patterns, seasonal passwords, company name variations, or default unchanged passwords. They then test these passwords against a large list of usernames, often obtained from public directories or past data breaches. Once successful credentials are found, attackers immediately escalate their access, changing passwords, elevating privileges, moving laterally inside networks, and establishing persistent backdoors.
The education sector on cloud platforms has been notably targeted recently, with Microsoft reporting in April 2025 that education sector accounts on Microsoft Azure were particularly targeted by password spraying campaigns. Sectors relying heavily on cloud services and large user directories, such as enterprises, government, healthcare, and education, are common targets due to the scalability of the attack and the prevalence of weak passwords across many users.
The method is favored by a wide range of threat actors, including cybercriminals and nation-state hackers, due to its ease and effectiveness in circumventing traditional brute-force protections.
The Midnight Blizzard attack began in late November and Microsoft didn't discover the attack until Jan. 12. The attackers used the accessed email accounts to steal Microsoft executive emails and other documents.
Password-spray attacks are difficult to detect and attribute to threat groups because they're often run continuously in the background at scale across broadly distributed botnets. MFA (Multi-Factor Authentication) is often cited as a prevention measure against identity-based attacks, but Trellix expects attackers to continue bypassing MFA with social engineering.
The report predicts the use of more sophisticated methods in password-spray attacks, such as AI-driven or assisted techniques. This could make password-spray attacks more efficient, evasive, and adaptive, posing a significant threat despite the potential use of MFA and the risks of detection and attribution.
[1] https://www.trellix.com/reports/password-spraying-attacks-rise-in-2022-trellix-advanced-research-center-report/ [2] https://www.trellix.com/reports/password-spraying-attacks-rise-in-2022-trellix-advanced-research-center-report/ [4] https://www.trellix.com/reports/password-spraying-attacks-rise-in-2022-trellix-advanced-research-center-report/
- Despite the adoption of Multi-Factor Authentication (MFA), the report by Trellix Advanced Research Center predicts that threat actors will continue to bypass MFA using social engineering, demonstrating the persisting threat of password-spray attacks in cybersecurity.
- The use of password-spray attacks is favored by a wide range of threat actors, including cybercriminals and nation-state hackers, due to its ease and effectiveness in circumventing traditional brute-force protections, highlighting the critical role of robust cybersecurity measures and technology in protecting against these stealthy attacks.
