DFIR

Password Spraying M365

Attack

GitHub - dafthack/MSOLSpray: A password spraying tool for Microsoft Online accounts (Azure/O365). The script logs if a user cred is valid, if MFA is enabled on the account, if a tenant doesn't exist, if a user doesn't exist, if the account is locked, or if the account is disabled.GitHub

M365 password spraying attacks can have 10 failed login attempts per 1 minute.
Legacy authentication is disabled by default (Companies still enable it based on business needs).

MSOLSpray:

Sends POST request to http://login.microsoftonline.com/common/oauth2/v2.0/token with username and password
POST request leaks info about whether user exists, password is correct, MFA is enabled or conditional access policies are applied

Import-Module MSOLSpray.ps1
Invoke-MSOLSpray -UserList .\userlist.txt -Password Winter2020

Detect

Successful logons of MSOLSpray will show up in interactive, but not necessarily mean that they logged into the account. Especially if MFA is enabled.
Failed Logon attempts happening within seconds for multiple accounts.

The resource ID 00000002-0000-0000-c000-000000000000 is Active Directory PowerShell in Azure and is used by ADrecon, AADInternals, MSOLSpray, and many more.

Verify first-party Microsoft applications in sign-in reports - Active DirectoryMicrosoftLearn

Common Microsoft Resources in Azure Active DirectoryShawn Tabrizi

A successful logon for an MFA enabled account requires two successful logon events
- Correct Password.
- MFA Completed in Azure.

Mitigate

Enabled MFA on all endpoints (This will allow for detection of sign-ins without MFA too).
Do not enable legacy authentication.
Enforce complex passwords and strong password reset policy.
Set up conditional access policies and lockdown logons to where the user lives.

How to properly reset a compromised password:

Responding to a Compromised Email AccountMicrosoftLearn

PreviousUnauthenticated Recon NextPassword Spraying OWA

Last updated 7 months ago