Beware of Password Spraying

3 min readAug 26, 2019


Password Spraying is a technique used by attackers in an attempt to gain access to the victim’s account by trying passwords that users are most likely to use. Attackers in a single attempt can try to access multiple accounts by running them against a few commonly used passwords (eg: password, 12345, etc). Unlike brute-forcing, this approach has proven to be very successful as it enables attackers to stay hidden and avoid rapid account lockouts.

Password Spraying attack typically targets single sign-on (SSO) and cloud-based applications as it helps attackers mask their traffic whilst maximizing their probability of accessing user accounts. This technique enables them to steal the organization’s financial and confidential data; ultimately exposing the organization to malicious attacks such as phishing attacks or Business Email Compromise scams.


Password spraying can be tricky and difficult to detect but with the right resources and defense mechanisms in place, organizations can stay one step ahead of cybercriminals. Based on some identified patterns mostly referred to as indicators of compromise associated with password spraying, organizations can operationalize them for specific log monitoring.

  • Attackers are most likely to use usernames that are non-existent users, any such login attempt made with a non-existent user should be alerted.
  • Lockout events should be triggered due to exceeding the lockout threshold within any service.
  • Cybercriminals will often use automated bots or scripts targeting the specific URL of service which can also become a good signal for organizations to detect such attacks.
  • Review logs and policies in place periodically for any particular service.

Practicing Good Password Hygiene:

Password hygiene is an important skill in today’s digital era that every individual must possess. For organizations, it becomes even more important as poor password hygiene puts them on high risk. Organizations can reduce this risk or the chances of them being breached by cybercriminals by simply practicing good password hygiene:

  • Passwords should be changed on a regular basis.
  • Use different passwords for different websites.
  • Use password management tools that help you store and generate passwords more securely.
  • Multi-factor authentication (2FA) along with strong passwords will add a second layer of security.

In addition to this, organizations should also enforce a strict no-password sharing policy and also conduct periodic awareness events for employees, helping them understand the importance of having strong passwords and how to stay secure online.

Since the compromised data from third-party breaches have become widely available, cybercriminals easily get hands-on such data. Once they know your organization’s email addresses are part of a specific breach, it is an easy entry for them into your organizations as they try to use these known password combinations on various organization’s services or sites.

CTM360 understands the need for collecting such data and alerting organizations on matches found on their respective domains, and it is done through our module BreachDB. With BreachDB you will gain access to information from a vast database of the various breaches that have occurred over the past few years. This data is being detected and aggregated by Team CTM360 on an ongoing basis to improve organizations’ visibility and insight into high profile credential leaks.

Check for your organization’s leaked credentials on BreachDB:





A comprehensive Cyber Threat Management service. We offer cyber detection, analysis and mitigation via a 24/7/365 SOC. Headquartered in the Kingdom of Bahrain.