Understanding password spraying attacks
Password spraying is a credential-based attack where a threat actor tries a small set of common passwords across many accounts, avoiding per-account lockouts. It targets Active Directory environments, cloud identity providers, VPNs, and SSO platforms. Unlike brute force, it spreads guesses widely to stay below detection thresholds. Effective defenses include phishing-resistant MFA, banned password lists, NTLM restrictions, rate limiting, and ITDR monitoring for low-and-slow authentication anomalies.
In a password spraying attack, threat actors try a small set of common passwords across many user or service accounts. The goal is to compromise an account while staying below account-lockout thresholds.
Attribute | Details |
|---|---|
|
Attack type |
Password spraying (low-and-slow brute force across many accounts) |
|
Impact level
|
High |
|
Target |
SSO/IdP portals, VPN/VDI, SaaS sign-ins, exec/admin users, service accounts |
|
Primary attack vector |
Automated login attempts using common/default passwords + OSINT usernames |
|
Motivation
|
Initial foothold, ATO for fraud/exfiltration, staging for lateral movement/ransomware |
|
Common prevention methods |
Phishing-resistant MFA, lockout/rate limits, banned password lists, disable legacy auth, bot/CAPTCHA, CA policies |
Risk factor | Level |
|---|---|
|
Potential damage
|
High |
|
Ease of execution |
Medium–High |
|
Likelihood |
High |
Could a password spraying attack slip through your defenses undetected?
Talk to our experts about tightening authentication controls, identifying at-risk accounts, and monitoring for credential-based threats before they escalate.
What is password spraying?
Password spraying is a method where an attacker tries a small set of common passwords (for example: “Password123!,” “qwerty,” “Summer2024,” “Welcome1”) across many user accounts or service accounts in an identity store, such as on-premises Active Directory, cloud identity providers (Microsoft Entra ID, Okta, Google Workspace), SaaS apps, web applications, VPNs, and other authentication systems. The goal is to compromise an account without triggering account lockout controls that come into effect when someone makes repeated failed attempts on a single account. Password spraying spreads a few guesses widely, which makes it highly effective against organizations with weak or reused passwords.
Think of it as an intruder trying one common key at the doors of an entire apartment building rather than trying many different keys on a single door. If a tenant has used that common key, the intruder gets in, but the building’s door alarm is not triggered by repeated attempts against one lock.
Here is how password spraying differs from brute force and credential stuffing attacks.
Feature | Brute-force attack | Credential stuffing | Password spraying |
|---|---|---|---|
|
Targets |
Single account or a few |
Many accounts |
Many accounts |
|
Method |
Attempts many possible passwords for the same account (often automated, exhaustive) |
Uses leaked/stolen credentials obtained from breaches and replays them across services to find reused or valid logins |
Tries a few common passwords across many accounts to avoid lockouts |
|
Lockout profile |
High risk of lockout on targeted account |
May trigger protection if credentials are wrong or reused |
Designed to avoid per-account lockout by spreading attempts |
|
Chance of success |
Can succeed if no lockouts and password is weak |
High if users reuse breached passwords |
Effective against organizations with many weak/default passwords and relaxed login limits |
Password spraying remains one of the most common credential-based attack techniques because it targets weak passwords while avoiding traditional account lockout controls. Organizations can reduce risk through strong password policies, phishing-resistant MFA, identity monitoring, and least-privilege access controls.
How password spraying works
Password spraying is a “low-and-slow” approach. The attacker trades depth (many guesses against one account) for breadth (a few guesses across many accounts) to remain stealthy. The following steps illustrate how a password spraying attack typically unfolds.
Reconnaissance (usernames)
The attacker first builds a list of valid usernames. Sources include:
- Open-source intelligence (OSINT), for instance LinkedIn, company pages, press releases, government databases
- Public breach dumps
- Email-format harvesting (as in first.last@company.com)
- Live enumeration against a login page (different error messages, response times, and account recovery flows reveal which usernames are valid)
The result is a target set of human or service account names the attacker will run the attack on, such as a list of 500 employee email addresses from LinkedIn.
Pick a tiny password set
Next, attackers choose a very small list of likely passwords, such as:
- Default passwords
- Common weak passwords
- Season/year combos
- Company/mascot variants
Spray campaigns typically use only a small set of password guesses, commonly 3 to 10. Keeping the password set small minimizes failures per account, which prevents lockouts.
Spray wave #1 (low-and-slow)
The attacker tries one password across many accounts, such as trying "Winter2024!" against all 500 accounts. They space out attempts to stay below lockout and detection thresholds (for example, 1 to 2 attempts per account within the lockout window). This low volume per account barely triggers alerts while the attacker continues to probe for weak or reused credentials.
Rotate and evade
To further avoid detection, attackers rotate their infrastructure and fingerprints.
- They cycle through different IP addresses using proxies, VPNs, Tor, or distributed botnets.
- They randomize user-agent strings to mimic legitimate traffic from various devices and browsers.
- Timing between authentication attempts is varied to stay below rate-limit thresholds.
- Attacks are distributed across multiple geographic locations to appear as normal global access.
These combined tactics make the campaign harder to detect and block. Attackers also sometimes target legacy systems or endpoints using basic authentication protocols, as these lack modern security controls like multi-factor authentication (MFA) and robust rate-limiting. This makes exploitation easier without triggering alarms.
Spray wave #2
If the first wave does not yield any wins, attackers run subsequent waves using the next password in the tiny set against the same (or expanded) username list. They employ password spraying tools and automated scripts to control the attempt cadence, rotate IPs, retry as needed, and parse login responses. This allows for campaigns to scale while staying below detection thresholds.
First success (foothold)
When an account accepts a guessed password, the attacker gains access. They then move quickly to establish persistence and expand access before the compromise is detected.
- The attacker creates alternative access mechanisms such as application-specific passwords or API tokens, harvests additional credentials, registers OAuth tokens for third-party apps, or configures mailbox forwarding rules to maintain access even if the original password is changed.
- They then enumerate the internal environment, exploring accessible applications, shared resources, cloud services, and sensitive data repositories to understand what the compromised account can reach.
- They attempt privilege escalation by exploiting helpdesk procedures (for instance, impersonating the user to reset passwords for higher-privilege accounts), initiating password reset flows for admin accounts, or launching MFA fatigue attacks (where they repeatedly bombard legitimate users with MFA push notifications until they approve access).
This stage transforms a single compromised credential into a persistent presence within the organization's infrastructure.
Outcomes
With access established, attackers pursue their end goals. They can:
- Exfiltrate sensitive data
- Launch business email compromise (BEC) fraud through compromised mailboxes
- Use the foothold for lateral movement across the network
This way, the initial breach escalates into more severe attacks like ransomware deployment, privilege escalation to administrator accounts, or long-term persistent access for ongoing espionage. What starts as a simple password spray can result in significant financial losses, data breaches, and operational disruption.
Attack flow diagram
Here is a simple visual flow of the password spraying attack and an example story from an organization’s perspective that shows how a password spraying campaign moves from reconnaissance to impact.
A logistics firm's employee directory is partially exposed through LinkedIn and an old credential dump. An attacker builds a list of valid email addresses and tests one common password across all accounts, spacing attempts days apart to stay below lockout thresholds.
One account accepts the guess: a warehouse coordinator who had never updated a default onboarding password. The attacker sets up mailbox forwarding, maps internal file shares, then uses a helpdesk impersonation call to reset an IT administrator's password and gain AD access. By the time unusual sign-in activity triggers an alert, 11 days have passed, payroll records have been exfiltrated, and ransomware is staged across multiple servers.
Examples of password spraying attacks
Password spraying attacks have been used in several real-world breaches against major organizations. The following are a few notable examples.
Case | Impact |
|---|---|
|
Microsoft (2024) |
In January 2024, Microsoft disclosed that beginning late November 2023, a nation-state actor (Midnight Blizzard, also known as APT29/NOBELIUM) used a password spray attack to compromise a legacy non-production test tenant account, one that lacked MFA. Using that foothold, the attacker gained access to a very small percentage of Microsoft’s corporate email accounts, including senior leadership, cybersecurity, legal, and other functions. They then exfiltrated emails and attachments from some of those mailboxes, exposing high-value communications. |
|
Citrix (2019) |
In March 2019, Citrix announced that the FBI had alerted them to a likely password spraying attack by international cybercriminals. By July, Citrix confirmed that attackers had indeed gained access to its internal network using this method. The attackers accessed a shared network drive storing business documents and a web-tool consulting drive between October 2018 and March 2019. The compromise went undetected for months, during which attackers accessed files containing sensitive personal information of employees, including names, social security numbers, and financial data. Approximately 24,000 individuals were affected, including current and former employees, interns, job candidates, contractors, and beneficiaries. The breach resulted in a class-action lawsuit that led to a $2.275 million settlement to provide victims with credit monitoring and identity theft recovery services. It also led to regulatory scrutiny and reputational damage. |
|
Peach Sandstorm (2023) |
Starting February 2023, Peach Sandstorm (an Iranian state-backed threat group) launched a series of password spraying campaigns targeting the defense, satellite, and pharmaceutical sectors in the United States, Saudi Arabia, South Korea, Australia, and the United Arab Emirates. According to Microsoft, the group used anonymized infrastructure, including Tor networks, to hide their activity while attempting to compromise many accounts with common passwords. Once successful, the attackers established persistent access, enabling long-term cyber-espionage and intelligence collection within high-value environments. |
Consequences of password spraying
Password spraying incidents highlight how a single weak password can open the door to large-scale compromise, leading to serious and far-reaching consequences for an organization. Here is how the effects play out across key impact areas.
Impact area | Description |
|---|---|
|
Financial
|
Organizations face direct financial losses from fraudulent transactions, unauthorized fund transfers, and incident response efforts including forensic investigations and system remediation. Regulatory fines under frameworks like GDPR and HIPAA can reach millions of dollars, while cyber insurance premiums can increase. Publicly traded companies can also be hit by stock price volatility and loss of market capitalization. |
|
Operational |
The operational impact of password spraying ripples through an organization. Emergency measures such as forced account lockouts and password resets can temporarily halt business operations. During investigations and recovery, critical services may experience downtime, and employees can lose productive work hours. All this adversely affects efficiency and revenue. |
|
Reputational
|
Public disclosure of a breach erodes customer trust, leading to customer attrition and difficulty in acquiring new clients. Media coverage amplifies the damage by keeping security failures in the public eye. Partner organizations tend to reconsider business relationships due to loss of brand credibility. |
|
Legal/regulatory |
Attacks that result in data breaches trigger legal and regulatory consequences. Organizations must meet breach notification requirements, with missed deadlines resulting in penalties. Regulators investigate whether proper security controls were in place, from HIPAA in healthcare to SOX, PCI-DSS, and GDPR in finance and data protection. These incidents can also spark class-action lawsuits for breach of privacy. Contracts with business partners can stand violated, resulting in liability for partner losses. |
Common targets of password spraying: Who is at risk?
Password spraying attacks can target any organization that has online accounts or exposed login systems. However, some environments and users are far more attractive to attackers due to the access, data, or systems they control. Some common targets of password spraying campaigns are:
|
Organizations with externally facing authentication services |
Organizations that expose authentication services to the internet are prime targets. Common attack surfaces include:
Single sign-on (SSO) and federated identity systems like AD FS, Okta, and Ping Identity are high-value entry points for credential-based attacks. By compromising them, attackers gain access to multiple internal and third-party apps simultaneously. |
|
Industries handling sensitive data |
Sectors that store or process confidential or regulated information are especially appealing to threat actors due to the high value of the data.
|
|
Users with high-value or privileged accounts |
Attackers love to go after accounts that provide administrative access or financial control.
|
|
Accounts with weak or default credentials |
New or forgotten employee accounts with default passwords are low-hanging fruit. Even active users who follow common, predictable password patterns (like CompanyName2025!) pose a risk. Legacy or inactive accounts that remain enabled in the directory are also dangerous, as they are rarely monitored yet may still provide valid access. |
|
Cloud and remote work environments |
With remote work and cloud adoption, many employees log in through VPNs, VDIs, or SSO platforms. This creates a large attack surface, where one compromised password can open access to dozens of connected systems. |
Risk assessment
Password spraying in cybersecurity is a low-cost, broadly available attack that preys on weak passwords and exposed authentication surfaces. Organizations should treat it as a high-priority risk and tune controls accordingly.
Risk factor | Level |
|---|---|
|
Potential damage |
High |
|
Ease of execution
|
Medium–High |
|
Likelihood |
High |
How to prevent password spraying
To prevent password spraying, organizations should adopt strong authentication practices, proactive monitoring, and user awareness. The following measures can be helpful.
Enforce strong password policies
The first step is to raise the bar for password strength.
- Enforce long, complex passwords for accounts (at least 14 characters).
- Use banned or breached password lists (such as Have I Been Pwned) and common patterns to block users from using compromised or weak passwords.
- Make sure new and default accounts change their passwords at first login to eliminate easy entry points.
Implement multi-factor authentication
MFA is one of the most effective defenses against password spraying as it closes common bypass routes.
- Deploy MFA across all externally facing systems such as email, VPNs, and cloud apps.
- Whenever possible, use phishing-resistant MFA options like FIDO2 security keys or certificate-based authentication.
- Block legacy protocols (like NTLM or basic auth) that do not support MFA. Make sure your cloud and identity platforms only allow modern authentication so that attackers cannot sneak in using weak, outdated methods.
Apply account lockout and rate limiting
Attackers rely on repeated login attempts in password spraying, so you can limit these attempts to slow down or stop their progress.
- Set lockout policies carefully. Make them tight enough to protect accounts but flexible enough to avoid frustrating legitimate users.
- Add progressive delays, CAPTCHA prompts, and temporary lockouts after several failed attempts.
- Limit the number of login attempts from a single IP address or device to prevent large-scale spraying.
Strengthen detection and monitoring
Continuous monitoring allows organizations to catch warning signs early.
- Track failed login attempts across multiple accounts from the same IP or region.
- Investigate spikes in account lockouts, unusual MFA prompts, and logins from unknown geographies.
- Use security information and event management (SIEM) or user and entity behavior analytics (UEBA) tools to identify “low and slow” spraying patterns that blend into normal traffic. Detecting these patterns early can prevent a full-scale breach.
Maintain username and identity hygiene
The first step in a password spraying attack chain is when the attacker begins collecting or inferring valid usernames in an organization. For this reason:
- Avoid predictable username formats like “firstname.lastname@company.com” or “employeeID@domain.com.”
- Limit or secure any publicly accessible lists of usernames, email addresses, or employee information that attackers could use to build valid login name lists.
- Configure your login pages to prevent username enumeration: do not reveal whether a username is valid during failed login attempts.
- As a routine exercise, disable inactive, test, and legacy accounts that are not in use but still active in the directory.
Adopt Zero Trust and access controls
A Zero Trust model limits the damage from a single compromised account.
- Apply the principle of least privilege (PoLP), granting users only the access they truly need.
- Use Conditional Access policies to block risky IPs and enforce MFA for high-risk logins.
- Segment access between systems so that one breach does not cascade across the network.
Work on user awareness and training
Human error is often the weakest link. To address it:
- Educate employees on password hygiene, the dangers of password reuse, and how spraying attacks work.
- Encourage the use of password managers to generate and store unique, complex passwords.
- Run regular awareness campaigns and phishing/password spray simulations to keep good habits fresh.
Use advanced protections
Modern identity defenses go beyond passwords. Organizations should:
- Deploy identity threat detection and response (ITDR) tools, such as those provided by Netwrix, to detect and contain suspicious identity-related activity before attackers escalate.
- Enable banned-password enforcement features such as Microsoft Entra ID Password Protection.
- Consider switching to passwordless authentication, such as FIDO2 keys, biometrics, or smartcards for stronger security.
How Netwrix can help
Netwrix offers a range of cybersecurity solutions that enable organizations to enforce stronger authentication, spot attacks early, block them in real time, and maintain hygiene across identities.
Enforce strong authentication with Netwrix Password Policy Enforcer
Netwrix Password Policy Enforcer lets you set up detailed, customized password policies to block weak and breached passwords. It supports both on-premises Active Directory and cloud environments like Microsoft Entra ID. It can check against leaked password lists, enforce different rules per user group, and help meet regulatory templates like NIST and PCI.
Stop malicious authentications in real time with Netwrix Threat Prevention
Netwrix Threat Prevention monitors and blocks risky logons and unauthorized changes in real time, such as suspicious logins, changes to privileged groups, and legacy protocol authentication. This prevents attackers from establishing a foothold or moving laterally.
Threat Prevention is part of Netwrix’s Identity Threat Detection & Response (ITDR) solution, which encompasses multiple products working together. This solution enables organizations to detect identity-centric attacks early, including Active Directory password spraying, credential misuse, legacy protocol use, unusual sign-ins, and privilege escalation across Active Directory and Entra ID. It gives you real-time analytics and alerts when suspicious activity occurs, guiding security teams to respond before attackers escalate.
Maintain identity hygiene through Netwrix Directory Manager
Netwrix Directory Manager automates user lifecycle tasks in the directory, such as disabling inactive and legacy accounts, enforcing strong credentials on new accounts, and auto-updating group memberships based on policies. This kind of cleanup shrinks the attack surface available for password spraying.
Detect and block password spraying attacks with Netwrix Threat Manager. Download free trial.
Detection, mitigation, and response strategies
Password spraying is a low-noise but high-impact threat. To catch the early signs, organizations need tight detection, followed by a fast response to contain and remediate the damage.
Detection
Effective password spraying detection means looking for broad, low-volume patterns rather than loud bursts.
Correlate failed logins across accounts
Correlate failed logins across many accounts originating from the same IP address, network (ASN), or user-agent string within a time window (for example, 5+ accounts failing from one IP in 30 minutes). This “same password tried everywhere” pattern is a strong indicator of spraying activity.
Detect low-and-slow cadence
Attackers exploit older protocols because they lack advanced security features and do not support MFA. Flag any authentication attempts using IMAP, POP, SMTP AUTH, or other outdated APIs. Also monitor for unusual user-agents, automated tools, and applications that are rarely used in your environment. Pay attention to slow, steady login attempts spread across many accounts, as these are designed to stay below lockout and detection thresholds.
Monitor risky sources
Monitor connections from risky or anonymized sources, such as Tor exit nodes, VPNs, and open or anonymous proxies. Track logins from IPs previously flagged for malicious activity or associated with credential attacks. Detect impossible travel (for example, a user logging in from New York, then Tokyo 30 minutes later) and geographic anomalies such as access from countries or regions where your organization has no presence. These signals help to identify inherently suspicious connection sources.
Track success after failures
When you observe a pattern where multiple failed logins across accounts are followed by a successful login from the same IP or source, stay alert. That transition is a high-confidence indicator of a breach.
SIEM/UEBA rules
Machine learning baselines detect anomalies that human analysts can miss. Set up SIEM or UEBA rules to detect failed logins spread across many accounts, rate-limit violations, and sudden spikes in MFA denials or account lockouts.
Mitigation
To mitigate password spraying attacks, take steps to make accounts harder to guess, harder to abuse, and easier to protect. In addition to the practices listed in the How to Prevent Password Spraying section, adopt the following measures for mitigation.
Bot and anomaly defenses
Make it harder for automated tools to keep guessing passwords. Add CAPTCHA challenges after repeated failed logins, use device fingerprinting to recognize suspicious patterns, and rely on behavioral signals (like typing speed or login timing) to tell humans apart from bots. These small friction points can effectively break most automated spraying attempts.
Conditional access
Strengthen access decisions with context. Use Conditional Access policies to allow logins only from trusted locations, block “impossible travel” logins, and trigger step-up authentication when a sign-in looks risky. This ensures that even if credentials are guessed, attackers still face additional verification hurdles.
Identity provider (IdP) hygiene
Secure your authentication processes. Enable tenant-wide password protection features (like banned password lists), turn on extranet lockout in AD FS to limit external brute-force attempts, and configure tenant-wide alerts for suspicious sign-in behavior. These controls reduce the window of opportunity for attackers to exploit weak or reused credentials.
Administrator hygiene
Treat admin accounts like crown jewels. Administrators should use separate accounts for administrative and daily work. Implement the principle of least privilege so that no one has more access than needed and eliminate default or shared passwords entirely. Implement just-in-time access (JIT) and Just Enough Administration (JEA) to grant temporary elevated privileges only when necessary. This limits exposure if an account is ever compromised.
Response
When a detection alert fires, respond. Your goal is to contain the damage, find how the attacker persisted, and make sure it does not happen again.
Contain the threat quickly
- Block suspicious IP ranges or ASNs (or quarantine them at the WAF or network edge).
- Implement geofencing if attacks originate from unexpected geographic regions.
- Revoke all active sessions and refresh tokens for compromised accounts (not just suspicious ones because attackers may have already moved laterally).
- Invalidate any standing access tokens or API keys associated with the affected accounts.
- Apply emergency Conditional Access policies to require MFA, block risky sign-ins, or restrict access to trusted networks.
- Tighten authentication requirements temporarily to shut off risky sign-in paths.
Reset targeted credentials
- Reset passwords for accounts that were targeted or successfully breached. Use risk scoring and confirmed indicators of compromise to guide the password reset process.
- Enforce MFA enrolment.
- Remove suspicious mailbox forwarding rules, send-as permissions, and delegates from compromised and high-risk accounts.
- Revoke unauthorized OAuth app consents and application permissions for the targeted accounts.
Hunt for persistence
Search compromised accounts for:
- Mailbox rules (forwarding, deletion, auto-reply)
- Mailbox delegates and send-as/send-on-behalf permissions
- App passwords and legacy auth tokens (IMAP, POP3, SMTP)
- OAuth tokens and application consents
- API keys and service principal credentials
- Enrolled MFA devices (remove attacker-added phones or other authenticators)
- Changes to registered authentication methods
- Service principal and app registrations with excessive permissions
- Conditional Access policy modifications (attackers may weaken security policies)
- Saved credentials in browsers or password managers
Remove anything that could allow the attacker to return without re-authenticating.
Forensics and scope
- Collect authentication logs (Entra ID sign-ins, Okta system logs, on-premises AD logs) and network flows (such as east-west lateral movement, data exfiltration indicators, anomalous traffic patterns).
- Build a timeline of events, source IPs, user-agents, affected apps, and which login attempts succeeded vs. failed.
- Determine what data or systems were accessed.
Notify stakeholders
- Immediately inform affected users and guide them on what to do.
- Next, inform leadership, legal, IT security, and compliance teams as required.
- Update partners and vendors if shared systems or data are affected.
- If the breach results in regulatory non-compliance, prepare regulatory notifications if applicable.
Disable attack vectors
- Disable legacy authentication protocols if they are not required.
- Tighten account lockout policies and rate limits.
- Deploy decoy accounts (honeypots) with monitoring to detect future spraying attempts.
- Update threat intelligence feeds with attacker IPs, patterns, and TTPs.
- Refine SIEM detection rules based on observed attacker indicators.
- Roll out mitigation measures organization-wide.
Lessons learned
- Schedule formal post-incident review within one to two weeks of incident closure and document what worked well and what needs improvement.
- Revise incident response runbooks with lessons learned.
- Document new IOCs, TTPs, and detection signatures.
- Run tabletop exercises simulating password spraying scenarios.
- Conduct purple-team exercises to validate detection and response improvements.
- Run controlled password spraying simulations (with authorization) to test controls.
Train helpdesk and IT staff on recognizing and responding to credential attacks.
Industry-specific impact
Password spraying attacks carry different consequences depending on the sector. By understanding industry-specific risks, organizations can prioritize defenses and tailor incident response.
Industry | Impact |
|---|---|
|
Healthcare
|
Password spraying attacks create immediate risks to patient safety and regulatory compliance. Compromised credentials expose electronic health records (EHR) and protected health information (PHI), leading to severe HIPAA violations, mandatory breach notifications, financial penalties, additional audits, and loss of patient trust. Compromised patient or provider portals result in account takeovers that lock providers out of critical systems during emergencies while disrupting care coordination, appointment scheduling, and prescription management. |
|
Finance |
Threat actors can initiate wire fraud, BEC, and customer account takeovers to redirect funds or steal sensitive financial data. Breaches can expose PCI or GLBA-regulated information, which triggers heavy fines, legal consequences, and regulatory investigations. The reputational impact tarnishes customer confidence and market credibility. |
|
Government
|
Compromise of government accounts can lead to exposure of citizen records, data manipulation, and service outages. Attackers may exploit breaches to access sensitive internal systems, posing risks to national security and public trust. Agencies also face Freedom of Information Act (FOIA) implications and heightened oversight following such incidents. |
Attack evolution and future trends
Password-based attacks have evolved from noisy, brute-force attempts to stealthy, automated campaigns that are part of wider threat operations. By looking at attack evolution and current trends, security teams can strengthen defenses accordingly.
Key statistics and infographics
Numbers tell the real story behind password spraying and credential-based attacks. The following stats highlight why strong authentication and better password hygiene are more critical than ever.
- In the 2025 Verizon Data Breach Investigations Report, analysts found that 22% of confirmed breaches began with credential abuse (such as stolen or reused passwords), and among “Basic Web Application” attacks, 88% involved stolen credentials.
- According to Microsoft, over 99.9% of compromised accounts lacked MFA at the time of breach. The research also found that accounts lacking MFA were particularly vulnerable to password spraying and password replay attacks, especially when using legacy authentication protocols like SMTP, IMAP, and POP that do not support MFA.
- According to recent analyses (for example, by NordPass and others in 2025), passwords such as “123456,” “password,” “qwerty,” “12345,” and “qwerty123” continue to dominate the top lists of most-used passwords.
Daily identity attacks
The following chart shows a sharp rise in daily identity attacks, climbing from around 300 million in 2022 to nearly 800 million by the first half of 2025. It highlights the growing scale of password and identity-based threats.
Identity attack types
The pie chart shows that in 2025, 97% of identity attacks were password-based, primarily password spraying and brute-force attacks. This confirms that weak or stolen credentials remain the top target for attackers.
MFA adoption growth
The line graph shows steady growth in MFA adoption among Microsoft enterprise customers since 2014, yet as of 2024, 59% of accounts still lack MFA protection.
Final thoughts
Attackers spray credentials across your user base like rain against windows. Most attempts roll off harmlessly, but they only need one weak seal to flood in. The beauty of the attack, from their perspective, is its simplicity: low effort, high return, and nearly invisible until damage is done. Do not be the weak seal. Do not let a single compromised credential unravel months of security investments. Password spraying succeeds precisely because it does not look like an attack, until it is too late. Detect the spray early, shut the entry points, and keep the flood at bay.
FAQs
Share on
View related cybersecurity attacks
Abusing Entra ID Application Permissions – How It Works and Defense Strategies
AdminSDHolder Modification – How It Works and Defense Strategies
AS-REP Roasting Attack - How It Works and Defense Strategies
Hafnium Attack - How It Works and Defense Strategies
DCSync Attacks Explained: Threat to Active Directory Security
gMSA exploitation attacks and Golden gMSA attacks explained
Ultimate guide to Golden SAML attacks
What Is a Golden Ticket Attack? How It Works, Detection and Prevention
DCShadow Attack – How It Works, Real-World Examples & Defense Strategies
ChatGPT Prompt Injection: Understanding Risks, Examples & Prevention
NTDS.dit extraction attacks explained
Kerberoasting Attack – How It Works and Defense Strategies
Understanding Pass-the-Hash (PtH) attacks
Pass-the-Ticket Attack Explained: Risks, Examples & Defense Strategies
Plaintext Password Extraction explained: Risks, examples & prevention
Zerologon Vulnerability Explained: Risks, Exploits and Mitigation
A complete guide to ransomware attacks
Skeleton Key attack: How it works and how to detect it
Lateral Movement: What Is It, How It Works And Preventions
Man-in-the-Middle (MITM) Attacks: What They Are & How to Prevent Them
Why Is PowerShell So Popular for Attackers?
4 Service Account Attacks and How to Protect Against Them
How to Prevent Malware Attacks from Impacting Your Business
What is Credential Stuffing?
Compromising SQL Server with PowerUpSQL
What Are Mousejacking Attacks, and How to Defend Against Them
Stealing Credentials with a Security Support Provider (SSP)
Rainbow Table Attacks: How They Work and How to Defend Against Them
A Comprehensive Look into Password Attacks and How to Stop Them
LDAP Reconnaissance
Bypassing MFA with the Pass-the-Cookie Attack
Silver Ticket Attack