Microsoft continues to updating its tools and features to deliver customers the utmost security they can. As a part of this, a new alert for ‘password spray attack originating from single ISP’ has been added in Microsoft 365 Defender portal. Threat actors use various techniques to identify account passwords. One among them is a password spray attack that guesses correct passwords for many accounts with a limited set of commonly used passwords. In addition, attackers may create several virtual machines or containers to launch password spray attacks to abuse legitimate cloud services. Boo! How threatening! With this new password spray attack detection alert, admins can defend such attacks by monitoring several suspicious events happening in the organization. Let’s dive deeply into it.
Who is Most Vulnerable to Password Spray Attack?
- Organizations having accounts with weak passwords can get targeted by threat actors easily.
- Organizations with weak authentication methods and not following proper security guidelines might get affected by threat attacks.
How to View Password Spray Attack Detection Alert in Microsoft 365?
Usually, threat attacks are detected by security teams and IT admins who manage the system’s security. They spend a lot of time identifying emerging threats as intruders come with advanced techniques in order to bypass security. However, this new password spray detection alert in Microsoft 365 Defender is a whip-hand for IT admins to identify the password spray attack that happened in the same internet service provider.
This alert gets enabled by default. You can view this alert by navigating the Policies & Rules –> Alert Policy in the Defender portal.
Note: If the new alert is not available in your Defender portal, please wait until the end of April as this new alert is in rollout stage.
License Requirement: Microsoft 365 E5 P2 licensed users will be impacted by this new alert rollout.
How to Detect Password Spray Attacks in Microsoft 365?
Investigating certain alerts and several suspicious user activities may be possible indicators for password spray attacks. Further, you can classify these as true positives (TP) or false positives (FP), as per the results. Let’s see the possible indicators below.
- Sign-in attempts from a suspicious location – Monitor sign-in attempts from an unusual location of impacted user accounts. Numerous sign-in attempts from one or more user accounts must be monitored carefully.
- Unusual sign-ins with uncommon properties – Examine strange properties like uncommon ISP, city, or country in impacted user sign-ins.
- Unusual spikes in email or file activities – Track sudden increases in email send or access activity. Also, observe spikes in file uploading to SharePoint or OneDrive for an impacted user.
- Numerous failed sign-in attempts – Huge number of failed sign-in attempts from several IPs and geo locations might be a key indicator.
- ISP identification from impacted user sign-ins – Observe sign-in events by other user accounts from the same ISP of the impacted user.
- Recent modifications in the organization – Changes in EXO permissions, email forwarding & redirection, automated data transmission configuration using PowerAutomate, Azure portal subscription changes, impacted user access to multiple sites, and access to files with sensitive or confidential data.
- Impacted user activities on multiple platforms/apps within a short span – Keep an eye on impacted user audit events within a short period, such as mail read or mail sent followed by resource allocation to their account or other user accounts.
- MFA failed sign-in attempts – Verify impacted user sign-ins with MFA authentication failures which might be a possible indicator.
In addition to investigating suspicious activities, admins need to look for any other possible consequent attacks on impacted user accounts. It helps to figure out all suspicious activities and respond to them instantly.
How Can You Identify Sequential Attacks on Impacted User Accounts?
Attackers always perform malicious activities after a password spray attack has been successful. As a result, admins need to monitor certain suspicious events to detect whether such sequential attacks happened for impacted user accounts. Moreover, MFA attacks and phishing attacks are often used as the next move post-attack. By staying vigilant and taking the appropriate measures, admins can help to prevent further security breaches.
- MFA fatigue attack is the trump card for attackers right now to bypass the organization’s security guidelines. Thus, monitoring numerous MFA requests from impacted user accounts is a must to look for.
- Identifying suspicious admin activities is much needed to avoid MFA tampering in the organization.
- Detect suspecting email activities, including email forwarding configuration, inbox forwarding rule creation, and inbox manipulation rule creation to identify any phishing emails sent from impacted user accounts.
- Look into any other Microsoft 365 alerts like impossible travel, compromised user account, unusual location, unusual email deletion, file deletion, etc., received by the impacted user accounts before the password spray attack.
Note: For admins who enjoy working with queries, investigating suspicious activities can be done using Advanced hunting queries in the Microsoft 365 Defender portal.
What Are the Preferred Actions to Remediate Attacks?
If your organization gets any malicious true positive alerts, then you can follow the steps below.
- Reset the credentials of the impacted user account.
- Revoke the access tokens of the compromised user account.
- Configure the number matching technique in Microsoft Authenticator to avoid MFA fatigue attacks.
- Ensure only minimum privilege is assigned to user accounts in order to achieve lease privilege principles.
- Configure the sender’s IP address and domain blocking to mitigate email-related attacks.
- Block malicious URLs or IPs during the investigation.
- Restrict sign-in of the impacted user using Conditional Access policy.
Microsoft 365 Auditing and Alerting: Where It Falls Short?
Though Microsoft introduces new ways to mitigate emerging attacks in the organization, admins always need to do a lot more to investigate and defend against such attacks. Microsoft fails to fulfill the features below, which admins hoped for. Despite this, there are still many effective measures that admins can take to enhance the security of their organization.
- Among the massive audit data, spotting specific activity is always challenging for admins, especially during investigations.
- Filtering capabilities in the audit log results are not available. Thus, admins can’t get their desired results easily.
- Audit retention of more than 90 days requires you to spend more money on additional license purchases.
- Every organization needs different security configurations based on their size and requirements. With Microsoft 365 alerting, only a definite number of actions are available for custom alert policy creations.
- Categorizing alerts is the key feature for admins to manage and respond to them instantly. Microsoft native alerting provides only a few category labels, and admins can’t create new labels, which is absolute trouble.
I wish Microsoft would address these downsides and soon enhance the features to fulfill the admin’s requirements to secure their organization.
Hope this blog helps you to gain info about the newly added alert and other workarounds needed for the investigation. Drop your queries in the comment section. Enjoy the new addition!