Password Spraying

Learn how password spraying attacks bypass weak passwords & MFA. See real-world examples, detection tips & defenses.

What is password spraying?

Password spraying is a low-and-slow brute force attack where an attacker tries a small set of common passwords across many accounts to avoid account lockouts.

Why it matters in 2025: Identity attacks remain dominant across incidents, and spraying continues to succeed because many organizations still permit weak or reused passwords and do not enforce multi-factor authentication. Microsoft’s 2024 Digital Defense Report notes that identity attacks are overwhelmingly password based. Verizon’s 2025 DBIR again highlights stolen credentials as a leading factor in breaches.

How does a password spraying attack work?

An attacker picks a few likely choices such as a seasonal or company-themed common password, tries it once per user across a large username list, then rotates to the next guess after a delay to stay under failed login attempts thresholds.

Step-by-step flow, at a glance

  1. Research for usernames like email formats, employee directories, or OSINT lists. 
  2. Build a very short wordlist of “policy-compliant” weak strings such as Winter2025! or Password1. 
  3. Spray one password to many targets, wait, then try the next. 
  4. Log successful hits and pivot to higher-value assets. 
  5. Blend activity across IPs, geographies, or proxies to evade rate limits and detection tooling. This “horizontal” pattern contrasts with a traditional brute force attack that hammers one account repeatedly.

What is an example of a password spraying attack?

CISA has reported nation-state actors using techniques like password spraying, sometimes paired with MFA “push bombing,” to compromise accounts and modify MFA settings for persistence. 

Microsoft’s Detection and Response Team has similarly warned about sprays targeting cloud administrators. They note that actors prioritize roles like Global Administrator and Cloud App Administrator because those accounts can reset passwords, register OAuth apps, alter conditional access, and bypass logging controls. 

How is password spraying different from a brute force attack?

Traditional brute force focuses on one account with many guesses, while spraying focuses on many accounts with a few guesses to sidestep account lockouts and failed login attempts alarms.

Related terms explained

  • Brute force attack: Rapid multi-guess attempts against one identity, often causing quick account lockouts.
  • Password spraying attack: One or a few guesses across many identities to avoid thresholds.
  • Credential stuffing: Using previously stolen username-password pairs from breaches to test reuse on other services.

Spraying does not require leaked credentials, which is why it is so prevalent wherever weak yet policy-compliant passwords exist.

What is the success rate and scale of password spraying today?

Microsoft reported that password spray attacks often succeed around one percent of the time per account, which is enough to regularly yield compromise at enterprise scale. 

Current stats to know

  • Identity is under pressure: Microsoft summarized that identity attacks are overwhelmingly password based.
  • Breach reality: Verizon’s 2025 DBIR analyzed 22,052 incidents and 12,195 confirmed breaches and continued to show stolen credentials as a top driver, especially in web application attacks.
  • Credential theft trendline: Third-party reporting in 2025 shows steep rises in credential compromise volumes across multiple ecosystems, underscoring why weak or common passwords remain a favored path.

How do you detect a password spraying attack?

Detection relies on correlating many low-frequency failed login attempts across many users, often from shared or rotating IP ranges, rather than single-user spikes.

Detection checklist

  • Watch for the same password tried once across lots of accounts in a short window.
  • Investigate failed logins coming from places or networks you don’t usually see.
  • Compare failures to your normal login patterns for time of day, device type, and app.
  • Alert on slow, spread-out failures that look small per user but add up across the company.
  • Add context like impossible travel, odd browser or app strings, and sudden spikes in locked or disabled accounts.

What can be the impact of a password spraying attack?

A successful password spraying attack can instantly give adversaries credentials that skirt perimeter controls, enabling email takeover, data exfiltration, internal reconnaissance, privilege escalation, and persistent unauthorized access.

Key statistics and breaches:

  • Poor password practices, including susceptibility to attacks like spraying, contributed to roughly 81% of corporate breaches in major surveys.
  • In the 2019 Citrix breach, attackers used password spraying to access the internal network, stealing business documents and sensitive data from network drives. The incident involved over 76,000 individuals’ personal information and led to multi-million dollar costs for legal support, forensic investigation, and extensive customer notification.
  • Another prominent example occurred in January 2024, when the Midnight Blizzard (APT29) group used password spraying against Microsoft’s infrastructure. Attackers compromised a non-production test tenant, escalated privileges through a legacy OAuth application, and maintained persistent access, highlighting both the initial impact and the risk of long-term exposure after a successful password spraying attack.

Investigations routinely uncover additional movement following initial foothold, such as:

  • Creation of mailbox forwarding rules to siphon communications.
  • Registration of new multi-factor authentication factors to entrench access.
  • Manipulation of OAuth or service principals for ongoing privilege.
  • High-value accounts, such as executives or cloud admins, are prime targets resulting in heightened financial and reputational risk.

How do you protect against a password spraying attack?

Combine strong passwords or passphrases with phishing-resistant MFA, disable legacy protocols that cannot enforce modern checks, enforce conditional access, and monitor for organization-wide failed login patterns.

Defense essentials

  • Strong passwords and passphrases: Follow NIST SP 800-63B guidance on “memorized secrets,” allow long passphrases, and screen against breached or common strings. This reduces the chance that a common password appears in your environment.
  • Multi-factor authentication: MFA dramatically reduces account compromise and is a required control for internet-facing access. Prefer phishing-resistant methods where feasible.
  • Account lockouts: Tune thresholds and durations, alert on spikes in lockouts, and investigate lockout storms that could mask a spray.
  • Rate limiting and geo controls: Apply IP reputation, throttling, and conditional access policies tied to device trust and geography. Pair with reCAPTCHA and bot filtering at application edges where possible.
  • User education: Teach users to avoid predictable patterns like SeasonYear!, pet names, or company slogans that meet complexity rules yet fail in practice.

What preventive controls should be prioritized first?

Start by eliminating weak passwords, enforcing MFA, and instrumenting your IdP and SIEM to detect low-frequency, wide-scope failed login attempts that signal a spray.

Quick reference checklist

  • Screen for banned lists and breached strings to reduce use of any common password inside your org.
  • Enforce phishing-resistant MFA where practical for admins and exposed roles first.
  • Disable basic protocols and legacy authentication endpoints.
  • Tune account lockouts and alert on correlated failed login attempts at tenant scope.
  • Deploy rate limiting and conditional access tied to device trust and location.

How Frontegg Stops Password Spraying

Frontegg helps cut off password spraying at the front door by pairing strong password policy with built-in defenses like breached-password screening, phishing-resistant MFA, adaptive rate limiting, and configurable lockout rules. You can block legacy protocols, enforce step-up authentication for risky sign-ins, and surface clear audit trails. 

Admin protections matter too. Frontegg supports granular roles, just-in-time elevation, and alerts on privileged logins so a single guessed password does not turn into tenant-wide access.

Just as important, Frontegg reduces developer toil. Teams can ship secure authentication without reinventing detection logic or custom controls, and product managers can own policy changes from the dashboard. That combination supports distributed ownership and customer autonomy while raising the bar against low-and-slow guessing attacks.