Password Spraying M365

PreviousUnauthenticated Recon NextPassword Spraying OWA

Last updated 1 year ago

Attack

M365 password spraying attacks can have 10 failed login attempts per 1 minute.
Legacy authentication is disabled by default (Companies still enable it based on business needs).

MSOLSpray:

Sends POST request to http://login.microsoftonline.com/common/oauth2/v2.0/token with username and password
POST request leaks info about whether user exists, password is correct, MFA is enabled or conditional access policies are applied

Import-Module MSOLSpray.ps1
Invoke-MSOLSpray -UserList .\userlist.txt -Password Winter2020

Detect

Successful logons of MSOLSpray will show up in interactive, but not necessarily mean that they logged into the account. Especially if MFA is enabled.
Failed Logon attempts happening within seconds for multiple accounts.

The resource ID 00000002-0000-0000-c000-000000000000 is Active Directory PowerShell in Azure and is used by ADrecon, AADInternals, MSOLSpray, and many more.

A successful logon for an MFA enabled account requires two successful logon events
- Correct Password.
- MFA Completed in Azure.

Mitigate

Enabled MFA on all endpoints (This will allow for detection of sign-ins without MFA too).
Do not enable legacy authentication.
Enforce complex passwords and strong password reset policy.
Set up conditional access policies and lockdown logons to where the user lives.

How to properly reset a compromised password: