Credential spraying is a sneaky attack that exploits a simple fact: lots of people use the same weak logins.
Unlike traditional brute-force attacks that try many combinations against one account (and get locked out), spraying tries one common credential against many accounts. Then waits. Then tries another. It's slow, patient, and often successful.
How Spraying Attacks Work
The attack is straightforward:
- Gather usernames -- From LinkedIn, company websites, email patterns, or previous breaches
- Pick a common credential -- "Summer2025!" or "CompanyName1" or "Welcome123"
- Try it on every account -- One attempt per account, staying below lockout thresholds
- Wait -- Enough time to avoid rate limiting
- Repeat -- With the next common credential
Most lockout policies trigger after 3-5 failed attempts on a single account. Spraying stays at 1-2 attempts per account, flying under the radar.
Why This Works
With thousands of accounts, even a 1% success rate yields dozens of compromised credentials. And common choices like "Welcome1" or "[CompanyName]2024" are used more often than you'd think.
How Spraying Differs from Brute Force
| Traditional Brute Force | Spraying Attack |
|---|---|
| Many attempts → One account | One attempt → Many accounts |
| Triggers account lockouts | Avoids lockout thresholds |
| Fast and noisy | Slow and stealthy |
| Easy to detect | Hard to spot without correlation |
What You Should Be Able to See
Spraying is hard to detect if you only look at individual accounts. You need to see patterns across your entire organization:
- Failed login attempts across ALL accounts (not just per-account)
- Login attempts from the same IP hitting multiple accounts
- Unusual timing patterns (attempts every 30 minutes, for example)
- Authentication attempts using legacy protocols
If your monitoring only shows "Account X had 2 failed logins," you'll miss the attack. You need to see "200 accounts each had 1-2 failed logins from the same IP range."
How to Protect Against Spraying
1. Block Common Credentials
Don't just require "complexity"--actively block commonly used choices:
- Welcome, Summer, Winter + year combinations
- Company name variations
- Credentials from known breach lists
Azure AD and other identity providers can block these automatically.
2. Enable MFA Everywhere
Even if attackers guess a credential, MFA stops them from getting in. This is your most effective defense.
3. Disable Legacy Authentication
Older protocols (POP, IMAP, SMTP Auth) often don't support MFA and are prime targets for spraying attacks. Block them unless absolutely necessary.
4. Monitor for Patterns
Set up alerts for:
- Multiple accounts with failed logins in a short window
- Failed logins from IPs outside your normal geography
- Spikes in authentication failures
5. Implement Smart Lockout
Modern identity systems can detect spraying patterns and lock out attackers without locking out legitimate users. Azure AD's Smart Lockout, for example, learns your organization's patterns.
Questions to Ask Your IT Provider
- "Can I see failed login attempts aggregated across all accounts?"
- "Do we block commonly used credentials?"
- "Is legacy authentication disabled?"
- "Would we detect a spraying attack in progress?"
- "What percentage of accounts have MFA enabled?"
If they can only show per-account metrics, you're missing the patterns that reveal spraying attacks.
The Bottom Line
Spraying succeeds because it's patient and avoids the obvious red flags. Defending against it requires visibility across your entire organization--not just individual accounts.
The best defenses: MFA everywhere, blocked common credentials, disabled legacy auth, and monitoring that can spot patterns across accounts. If you can see the attack, you can stop it.