Netwrix 1Secure delivers unified visibility across data and identity — free for 14 days with full access. Start a free trial

Cybersecurity glossaryAttack catalog
Understanding password spraying attacks

Understanding password spraying attacks

Password spraying is a credential-based attack where a threat actor tries a small set of common passwords across many accounts, avoiding per-account lockouts. It targets Active Directory environments, cloud identity providers, VPNs, and SSO platforms. Unlike brute force, it spreads guesses widely to stay below detection thresholds. Effective defenses include phishing-resistant MFA, banned password lists, NTLM restrictions, rate limiting, and ITDR monitoring for low-and-slow authentication anomalies.

In a password spraying attack, threat actors try a small set of common passwords across many user or service accounts. The goal is to compromise an account while staying below account-lockout thresholds.

Attribute

Details

Attack type

Password spraying (low-and-slow brute force across many accounts)

Impact level

High

Target

SSO/IdP portals, VPN/VDI, SaaS sign-ins, exec/admin users, service accounts

Primary attack vector

Automated login attempts using common/default passwords + OSINT usernames

Motivation

Initial foothold, ATO for fraud/exfiltration, staging for lateral movement/ransomware

Common prevention methods

Phishing-resistant MFA, lockout/rate limits, banned password lists, disable legacy auth, bot/CAPTCHA, CA policies

Risk factor

Level

Potential damage

High

Ease of execution

Medium–High

Likelihood

High

Could a password spraying attack slip through your defenses undetected?

Talk to our experts about tightening authentication controls, identifying at-risk accounts, and monitoring for credential-based threats before they escalate.

What is password spraying?

Password spraying is a method where an attacker tries a small set of common passwords (for example: “Password123!,” “qwerty,” “Summer2024,” “Welcome1”) across many user accounts or service accounts in an identity store, such as on-premises Active Directory, cloud identity providers (Microsoft Entra ID, Okta, Google Workspace), SaaS apps, web applications, VPNs, and other authentication systems. The goal is to compromise an account without triggering account lockout controls that come into effect when someone makes repeated failed attempts on a single account. Password spraying spreads a few guesses widely, which makes it highly effective against organizations with weak or reused passwords.

Think of it as an intruder trying one common key at the doors of an entire apartment building rather than trying many different keys on a single door. If a tenant has used that common key, the intruder gets in, but the building’s door alarm is not triggered by repeated attempts against one lock.

Here is how password spraying differs from brute force and credential stuffing attacks.

Feature

Brute-force attack

Credential stuffing

Password spraying

Targets

Single account or a few

Many accounts

Many accounts

Method

Attempts many possible passwords for the same account (often automated, exhaustive)

Uses leaked/stolen credentials obtained from breaches and replays them across services to find reused or valid logins

Tries a few common passwords across many accounts to avoid lockouts

Lockout profile

High risk of lockout on targeted account

May trigger protection if credentials are wrong or reused

Designed to avoid per-account lockout by spreading attempts

Chance of success

Can succeed if no lockouts and password is weak

High if users reuse breached passwords

Effective against organizations with many weak/default passwords and relaxed login limits

Password spraying remains one of the most common credential-based attack techniques because it targets weak passwords while avoiding traditional account lockout controls. Organizations can reduce risk through strong password policies, phishing-resistant MFA, identity monitoring, and least-privilege access controls.

How password spraying works

Password spraying is a “low-and-slow” approach. The attacker trades depth (many guesses against one account) for breadth (a few guesses across many accounts) to remain stealthy. The following steps illustrate how a password spraying attack typically unfolds.

Reconnaissance (usernames)

The attacker first builds a list of valid usernames. Sources include:

  • Open-source intelligence (OSINT), for instance LinkedIn, company pages, press releases, government databases
  • Public breach dumps
  • Email-format harvesting (as in first.last@company.com)
  • Live enumeration against a login page (different error messages, response times, and account recovery flows reveal which usernames are valid)

The result is a target set of human or service account names the attacker will run the attack on, such as a list of 500 employee email addresses from LinkedIn.

Pick a tiny password set

Next, attackers choose a very small list of likely passwords, such as:

  • Default passwords
  • Common weak passwords
  • Season/year combos
  • Company/mascot variants

Spray campaigns typically use only a small set of password guesses, commonly 3 to 10. Keeping the password set small minimizes failures per account, which prevents lockouts.

Spray wave #1 (low-and-slow)

The attacker tries one password across many accounts, such as trying "Winter2024!" against all 500 accounts. They space out attempts to stay below lockout and detection thresholds (for example, 1 to 2 attempts per account within the lockout window). This low volume per account barely triggers alerts while the attacker continues to probe for weak or reused credentials.

Rotate and evade

To further avoid detection, attackers rotate their infrastructure and fingerprints.

  • They cycle through different IP addresses using proxies, VPNs, Tor, or distributed botnets.
  • They randomize user-agent strings to mimic legitimate traffic from various devices and browsers.
  • Timing between authentication attempts is varied to stay below rate-limit thresholds.
  • Attacks are distributed across multiple geographic locations to appear as normal global access.

These combined tactics make the campaign harder to detect and block. Attackers also sometimes target legacy systems or endpoints using basic authentication protocols, as these lack modern security controls like multi-factor authentication (MFA) and robust rate-limiting. This makes exploitation easier without triggering alarms.

Spray wave #2

If the first wave does not yield any wins, attackers run subsequent waves using the next password in the tiny set against the same (or expanded) username list. They employ password spraying tools and automated scripts to control the attempt cadence, rotate IPs, retry as needed, and parse login responses. This allows for campaigns to scale while staying below detection thresholds.

First success (foothold)

When an account accepts a guessed password, the attacker gains access. They then move quickly to establish persistence and expand access before the compromise is detected.

  • The attacker creates alternative access mechanisms such as application-specific passwords or API tokens, harvests additional credentials, registers OAuth tokens for third-party apps, or configures mailbox forwarding rules to maintain access even if the original password is changed.
  • They then enumerate the internal environment, exploring accessible applications, shared resources, cloud services, and sensitive data repositories to understand what the compromised account can reach.
  • They attempt privilege escalation by exploiting helpdesk procedures (for instance, impersonating the user to reset passwords for higher-privilege accounts), initiating password reset flows for admin accounts, or launching MFA fatigue attacks (where they repeatedly bombard legitimate users with MFA push notifications until they approve access).

This stage transforms a single compromised credential into a persistent presence within the organization's infrastructure.

Outcomes

With access established, attackers pursue their end goals. They can:

  • Exfiltrate sensitive data
  • Launch business email compromise (BEC) fraud through compromised mailboxes
  • Use the foothold for lateral movement across the network

This way, the initial breach escalates into more severe attacks like ransomware deployment, privilege escalation to administrator accounts, or long-term persistent access for ongoing espionage. What starts as a simple password spray can result in significant financial losses, data breaches, and operational disruption.

Attack flow diagram

Here is a simple visual flow of the password spraying attack and an example story from an organization’s perspective that shows how a password spraying campaign moves from reconnaissance to impact.

Image

A logistics firm's employee directory is partially exposed through LinkedIn and an old credential dump. An attacker builds a list of valid email addresses and tests one common password across all accounts, spacing attempts days apart to stay below lockout thresholds.

One account accepts the guess: a warehouse coordinator who had never updated a default onboarding password. The attacker sets up mailbox forwarding, maps internal file shares, then uses a helpdesk impersonation call to reset an IT administrator's password and gain AD access. By the time unusual sign-in activity triggers an alert, 11 days have passed, payroll records have been exfiltrated, and ransomware is staged across multiple servers.

Examples of password spraying attacks

Password spraying attacks have been used in several real-world breaches against major organizations. The following are a few notable examples.

Case

Impact

Microsoft (2024)

In January 2024, Microsoft disclosed that beginning late November 2023, a nation-state actor (Midnight Blizzard, also known as APT29/NOBELIUM) used a password spray attack to compromise a legacy non-production test tenant account, one that lacked MFA.

Using that foothold, the attacker gained access to a very small percentage of Microsoft’s corporate email accounts, including senior leadership, cybersecurity, legal, and other functions. They then exfiltrated emails and attachments from some of those mailboxes, exposing high-value communications.

Citrix (2019)

In March 2019, Citrix announced that the FBI had alerted them to a likely password spraying attack by international cybercriminals. By July, Citrix confirmed that attackers had indeed gained access to its internal network using this method. The attackers accessed a shared network drive storing business documents and a web-tool consulting drive between October 2018 and March 2019.

The compromise went undetected for months, during which attackers accessed files containing sensitive personal information of employees, including names, social security numbers, and financial data. Approximately 24,000 individuals were affected, including current and former employees, interns, job candidates, contractors, and beneficiaries. The breach resulted in a class-action lawsuit that led to a $2.275 million settlement to provide victims with credit monitoring and identity theft recovery services. It also led to regulatory scrutiny and reputational damage.

Peach Sandstorm (2023)

Starting February 2023, Peach Sandstorm (an Iranian state-backed threat group) launched a series of password spraying campaigns targeting the defense, satellite, and pharmaceutical sectors in the United States, Saudi Arabia, South Korea, Australia, and the United Arab Emirates. According to Microsoft, the group used anonymized infrastructure, including Tor networks, to hide their activity while attempting to compromise many accounts with common passwords. Once successful, the attackers established persistent access, enabling long-term cyber-espionage and intelligence collection within high-value environments.

Consequences of password spraying

Password spraying incidents highlight how a single weak password can open the door to large-scale compromise, leading to serious and far-reaching consequences for an organization. Here is how the effects play out across key impact areas.

Impact area

Description

Financial

Organizations face direct financial losses from fraudulent transactions, unauthorized fund transfers, and incident response efforts including forensic investigations and system remediation. Regulatory fines under frameworks like GDPR and HIPAA can reach millions of dollars, while cyber insurance premiums can increase. Publicly traded companies can also be hit by stock price volatility and loss of market capitalization.

Operational

The operational impact of password spraying ripples through an organization. Emergency measures such as forced account lockouts and password resets can temporarily halt business operations. During investigations and recovery, critical services may experience downtime, and employees can lose productive work hours. All this adversely affects efficiency and revenue.

Reputational

Public disclosure of a breach erodes customer trust, leading to customer attrition and difficulty in acquiring new clients. Media coverage amplifies the damage by keeping security failures in the public eye. Partner organizations tend to reconsider business relationships due to loss of brand credibility.

Legal/regulatory

Attacks that result in data breaches trigger legal and regulatory consequences. Organizations must meet breach notification requirements, with missed deadlines resulting in penalties. Regulators investigate whether proper security controls were in place, from HIPAA in healthcare to SOX, PCI-DSS, and GDPR in finance and data protection. These incidents can also spark class-action lawsuits for breach of privacy. Contracts with business partners can stand violated, resulting in liability for partner losses.

Common targets of password spraying: Who is at risk?

Password spraying attacks can target any organization that has online accounts or exposed login systems. However, some environments and users are far more attractive to attackers due to the access, data, or systems they control. Some common targets of password spraying campaigns are:

Organizations with externally facing authentication services

Organizations that expose authentication services to the internet are prime targets. Common attack surfaces include:

  • VPN gateways
  • Email portals like Outlook Web Access and Microsoft 365/Entra ID
  • Cloud applications such as Google Workspace and Salesforce

Single sign-on (SSO) and federated identity systems like AD FS, Okta, and Ping Identity are high-value entry points for credential-based attacks. By compromising them, attackers gain access to multiple internal and third-party apps simultaneously.

Industries handling sensitive data

Sectors that store or process confidential or regulated information are especially appealing to threat actors due to the high value of the data.

  • Healthcare organizations are targeted for patient data and access to electronic health records systems containing HIPAA-protected data.
  • Financial institutions face risks to online banking platforms, trading applications, and payment processing systems.
  • Government and defense entities are prime espionage targets due to classified data, extensive contractor networks, and citizen service portals.
  • At educational institutions, student information systems often use predictable username formats based on student names. Combined with less mature security controls, this makes it easier for attackers to generate valid credential lists for password spraying campaigns.

Users with high-value or privileged accounts

Attackers love to go after accounts that provide administrative access or financial control.

  • C-suite executives and board members are valuable because their accounts contain sensitive communications and strategic information.
  • IT administrators control identity systems, servers, and cloud environments, making them highly valuable targets.
  • Finance and payroll staff are targeted for potential fraud in payroll processing and wire-transfer manipulation.
  • Service accounts, which have broad access but weaker monitoring, are another common entry point.

Accounts with weak or default credentials

New or forgotten employee accounts with default passwords are low-hanging fruit. Even active users who follow common, predictable password patterns (like CompanyName2025!) pose a risk. Legacy or inactive accounts that remain enabled in the directory are also dangerous, as they are rarely monitored yet may still provide valid access.

Cloud and remote work environments

With remote work and cloud adoption, many employees log in through VPNs, VDIs, or SSO platforms. This creates a large attack surface, where one compromised password can open access to dozens of connected systems.

Risk assessment

Password spraying in cybersecurity is a low-cost, broadly available attack that preys on weak passwords and exposed authentication surfaces. Organizations should treat it as a high-priority risk and tune controls accordingly.

Risk factor

Level

Potential damage

High
A single successful compromise can lead to mailbox takeover, theft of sensitive documents, business email compromise, lateral movement into critical systems, and even ransomware staging. If the compromised account has elevated privileges or access to SSO, the impact multiplies.

Ease of execution

Medium–High
Password spraying requires relatively little skill. Commodity tooling, public wordlists of common passwords, automated scripts, and basic OSINT to harvest usernames are enough to launch an attack. Threat actors can scale using simple automation and proxy services. Hence, carrying out the attack is not trivial but within reach of many threat actors.

Likelihood

High
The password spraying technique is cheap, effective, and widely used in attacks. Automated campaigns and botnets make it easy to target many victims quickly. Because many organizations still have weak or reused passwords, exposed login portals, or legacy endpoints without MFA, the probability of a password spraying attack remains high.

How to prevent password spraying

To prevent password spraying, organizations should adopt strong authentication practices, proactive monitoring, and user awareness. The following measures can be helpful.

Enforce strong password policies

The first step is to raise the bar for password strength.

  • Enforce long, complex passwords for accounts (at least 14 characters).
  • Use banned or breached password lists (such as Have I Been Pwned) and common patterns to block users from using compromised or weak passwords.
  • Make sure new and default accounts change their passwords at first login to eliminate easy entry points.

Implement multi-factor authentication

MFA is one of the most effective defenses against password spraying as it closes common bypass routes.

  • Deploy MFA across all externally facing systems such as email, VPNs, and cloud apps.
  • Whenever possible, use phishing-resistant MFA options like FIDO2 security keys or certificate-based authentication.
  • Block legacy protocols (like NTLM or basic auth) that do not support MFA. Make sure your cloud and identity platforms only allow modern authentication so that attackers cannot sneak in using weak, outdated methods.

Apply account lockout and rate limiting

Attackers rely on repeated login attempts in password spraying, so you can limit these attempts to slow down or stop their progress.

  • Set lockout policies carefully. Make them tight enough to protect accounts but flexible enough to avoid frustrating legitimate users.
  • Add progressive delays, CAPTCHA prompts, and temporary lockouts after several failed attempts.
  • Limit the number of login attempts from a single IP address or device to prevent large-scale spraying.

Strengthen detection and monitoring

Continuous monitoring allows organizations to catch warning signs early.

  • Track failed login attempts across multiple accounts from the same IP or region.
  • Investigate spikes in account lockouts, unusual MFA prompts, and logins from unknown geographies.
  • Use security information and event management (SIEM) or user and entity behavior analytics (UEBA) tools to identify “low and slow” spraying patterns that blend into normal traffic. Detecting these patterns early can prevent a full-scale breach.

Maintain username and identity hygiene

The first step in a password spraying attack chain is when the attacker begins collecting or inferring valid usernames in an organization. For this reason:

  • Avoid predictable username formats like “firstname.lastname@company.com” or “employeeID@domain.com.”
  • Limit or secure any publicly accessible lists of usernames, email addresses, or employee information that attackers could use to build valid login name lists.
  • Configure your login pages to prevent username enumeration: do not reveal whether a username is valid during failed login attempts.
  • As a routine exercise, disable inactive, test, and legacy accounts that are not in use but still active in the directory.

Adopt Zero Trust and access controls

A Zero Trust model limits the damage from a single compromised account.

  • Apply the principle of least privilege (PoLP), granting users only the access they truly need.
  • Use Conditional Access policies to block risky IPs and enforce MFA for high-risk logins.
  • Segment access between systems so that one breach does not cascade across the network.

Work on user awareness and training

Human error is often the weakest link. To address it:

  • Educate employees on password hygiene, the dangers of password reuse, and how spraying attacks work.
  • Encourage the use of password managers to generate and store unique, complex passwords.
  • Run regular awareness campaigns and phishing/password spray simulations to keep good habits fresh.

Use advanced protections

Modern identity defenses go beyond passwords. Organizations should:

  • Deploy identity threat detection and response (ITDR) tools, such as those provided by Netwrix, to detect and contain suspicious identity-related activity before attackers escalate.
  • Enable banned-password enforcement features such as Microsoft Entra ID Password Protection.
  • Consider switching to passwordless authentication, such as FIDO2 keys, biometrics, or smartcards for stronger security.

How Netwrix can help

Netwrix offers a range of cybersecurity solutions that enable organizations to enforce stronger authentication, spot attacks early, block them in real time, and maintain hygiene across identities.

Enforce strong authentication with Netwrix Password Policy Enforcer

Netwrix Password Policy Enforcer lets you set up detailed, customized password policies to block weak and breached passwords. It supports both on-premises Active Directory and cloud environments like Microsoft Entra ID. It can check against leaked password lists, enforce different rules per user group, and help meet regulatory templates like NIST and PCI.

Stop malicious authentications in real time with Netwrix Threat Prevention

Netwrix Threat Prevention monitors and blocks risky logons and unauthorized changes in real time, such as suspicious logins, changes to privileged groups, and legacy protocol authentication. This prevents attackers from establishing a foothold or moving laterally.

Threat Prevention is part of Netwrix’s Identity Threat Detection & Response (ITDR) solution, which encompasses multiple products working together. This solution enables organizations to detect identity-centric attacks early, including Active Directory password spraying, credential misuse, legacy protocol use, unusual sign-ins, and privilege escalation across Active Directory and Entra ID. It gives you real-time analytics and alerts when suspicious activity occurs, guiding security teams to respond before attackers escalate.

Maintain identity hygiene through Netwrix Directory Manager

Netwrix Directory Manager automates user lifecycle tasks in the directory, such as disabling inactive and legacy accounts, enforcing strong credentials on new accounts, and auto-updating group memberships based on policies. This kind of cleanup shrinks the attack surface available for password spraying.

Detect and block password spraying attacks with Netwrix Threat Manager. Download free trial.

Detection, mitigation, and response strategies

Password spraying is a low-noise but high-impact threat. To catch the early signs, organizations need tight detection, followed by a fast response to contain and remediate the damage.

Detection

Effective password spraying detection means looking for broad, low-volume patterns rather than loud bursts.

Correlate failed logins across accounts

Correlate failed logins across many accounts originating from the same IP address, network (ASN), or user-agent string within a time window (for example, 5+ accounts failing from one IP in 30 minutes). This “same password tried everywhere” pattern is a strong indicator of spraying activity.

Detect low-and-slow cadence

Attackers exploit older protocols because they lack advanced security features and do not support MFA. Flag any authentication attempts using IMAP, POP, SMTP AUTH, or other outdated APIs. Also monitor for unusual user-agents, automated tools, and applications that are rarely used in your environment. Pay attention to slow, steady login attempts spread across many accounts, as these are designed to stay below lockout and detection thresholds.

Monitor risky sources

Monitor connections from risky or anonymized sources, such as Tor exit nodes, VPNs, and open or anonymous proxies. Track logins from IPs previously flagged for malicious activity or associated with credential attacks. Detect impossible travel (for example, a user logging in from New York, then Tokyo 30 minutes later) and geographic anomalies such as access from countries or regions where your organization has no presence. These signals help to identify inherently suspicious connection sources.

Track success after failures

When you observe a pattern where multiple failed logins across accounts are followed by a successful login from the same IP or source, stay alert. That transition is a high-confidence indicator of a breach.

SIEM/UEBA rules

Machine learning baselines detect anomalies that human analysts can miss. Set up SIEM or UEBA rules to detect failed logins spread across many accounts, rate-limit violations, and sudden spikes in MFA denials or account lockouts.

Mitigation

To mitigate password spraying attacks, take steps to make accounts harder to guess, harder to abuse, and easier to protect. In addition to the practices listed in the How to Prevent Password Spraying section, adopt the following measures for mitigation.

Bot and anomaly defenses

Make it harder for automated tools to keep guessing passwords. Add CAPTCHA challenges after repeated failed logins, use device fingerprinting to recognize suspicious patterns, and rely on behavioral signals (like typing speed or login timing) to tell humans apart from bots. These small friction points can effectively break most automated spraying attempts.

Conditional access

Strengthen access decisions with context. Use Conditional Access policies to allow logins only from trusted locations, block “impossible travel” logins, and trigger step-up authentication when a sign-in looks risky. This ensures that even if credentials are guessed, attackers still face additional verification hurdles.

Identity provider (IdP) hygiene

Secure your authentication processes. Enable tenant-wide password protection features (like banned password lists), turn on extranet lockout in AD FS to limit external brute-force attempts, and configure tenant-wide alerts for suspicious sign-in behavior. These controls reduce the window of opportunity for attackers to exploit weak or reused credentials.

Administrator hygiene

Treat admin accounts like crown jewels. Administrators should use separate accounts for administrative and daily work. Implement the principle of least privilege so that no one has more access than needed and eliminate default or shared passwords entirely. Implement just-in-time access (JIT) and Just Enough Administration (JEA) to grant temporary elevated privileges only when necessary. This limits exposure if an account is ever compromised.

Response

When a detection alert fires, respond. Your goal is to contain the damage, find how the attacker persisted, and make sure it does not happen again.

Contain the threat quickly

  • Block suspicious IP ranges or ASNs (or quarantine them at the WAF or network edge).
  • Implement geofencing if attacks originate from unexpected geographic regions.
  • Revoke all active sessions and refresh tokens for compromised accounts (not just suspicious ones because attackers may have already moved laterally).
  • Invalidate any standing access tokens or API keys associated with the affected accounts.
  • Apply emergency Conditional Access policies to require MFA, block risky sign-ins, or restrict access to trusted networks.
  • Tighten authentication requirements temporarily to shut off risky sign-in paths.

Reset targeted credentials

  • Reset passwords for accounts that were targeted or successfully breached. Use risk scoring and confirmed indicators of compromise to guide the password reset process.
  • Enforce MFA enrolment.
  • Remove suspicious mailbox forwarding rules, send-as permissions, and delegates from compromised and high-risk accounts.
  • Revoke unauthorized OAuth app consents and application permissions for the targeted accounts.

Hunt for persistence

Search compromised accounts for:

  • Mailbox rules (forwarding, deletion, auto-reply)
  • Mailbox delegates and send-as/send-on-behalf permissions
  • App passwords and legacy auth tokens (IMAP, POP3, SMTP)
  • OAuth tokens and application consents
  • API keys and service principal credentials
  • Enrolled MFA devices (remove attacker-added phones or other authenticators)
  • Changes to registered authentication methods
  • Service principal and app registrations with excessive permissions
  • Conditional Access policy modifications (attackers may weaken security policies)
  • Saved credentials in browsers or password managers

Remove anything that could allow the attacker to return without re-authenticating.

Forensics and scope

  • Collect authentication logs (Entra ID sign-ins, Okta system logs, on-premises AD logs) and network flows (such as east-west lateral movement, data exfiltration indicators, anomalous traffic patterns).
  • Build a timeline of events, source IPs, user-agents, affected apps, and which login attempts succeeded vs. failed.
  • Determine what data or systems were accessed.

Notify stakeholders

  • Immediately inform affected users and guide them on what to do.
  • Next, inform leadership, legal, IT security, and compliance teams as required.
  • Update partners and vendors if shared systems or data are affected.
  • If the breach results in regulatory non-compliance, prepare regulatory notifications if applicable.

Disable attack vectors

  • Disable legacy authentication protocols if they are not required.
  • Tighten account lockout policies and rate limits.
  • Deploy decoy accounts (honeypots) with monitoring to detect future spraying attempts.
  • Update threat intelligence feeds with attacker IPs, patterns, and TTPs.
  • Refine SIEM detection rules based on observed attacker indicators.
  • Roll out mitigation measures organization-wide.

Lessons learned

  • Schedule formal post-incident review within one to two weeks of incident closure and document what worked well and what needs improvement.
  • Revise incident response runbooks with lessons learned.
  • Document new IOCs, TTPs, and detection signatures.
  • Run tabletop exercises simulating password spraying scenarios.
  • Conduct purple-team exercises to validate detection and response improvements.
  • Run controlled password spraying simulations (with authorization) to test controls.

Train helpdesk and IT staff on recognizing and responding to credential attacks.

Industry-specific impact

Password spraying attacks carry different consequences depending on the sector. By understanding industry-specific risks, organizations can prioritize defenses and tailor incident response.

Industry

Impact

Healthcare

Password spraying attacks create immediate risks to patient safety and regulatory compliance. Compromised credentials expose electronic health records (EHR) and protected health information (PHI), leading to severe HIPAA violations, mandatory breach notifications, financial penalties, additional audits, and loss of patient trust.

Compromised patient or provider portals result in account takeovers that lock providers out of critical systems during emergencies while disrupting care coordination, appointment scheduling, and prescription management.

Finance

Threat actors can initiate wire fraud, BEC, and customer account takeovers to redirect funds or steal sensitive financial data. Breaches can expose PCI or GLBA-regulated information, which triggers heavy fines, legal consequences, and regulatory investigations. The reputational impact tarnishes customer confidence and market credibility.

Government

Compromise of government accounts can lead to exposure of citizen records, data manipulation, and service outages. Attackers may exploit breaches to access sensitive internal systems, posing risks to national security and public trust. Agencies also face Freedom of Information Act (FOIA) implications and heightened oversight following such incidents.

Password-based attacks have evolved from noisy, brute-force attempts to stealthy, automated campaigns that are part of wider threat operations. By looking at attack evolution and current trends, security teams can strengthen defenses accordingly.

Key statistics and infographics

Numbers tell the real story behind password spraying and credential-based attacks. The following stats highlight why strong authentication and better password hygiene are more critical than ever.

  • In the 2025 Verizon Data Breach Investigations Report, analysts found that 22% of confirmed breaches began with credential abuse (such as stolen or reused passwords), and among “Basic Web Application” attacks, 88% involved stolen credentials.
  • According to Microsoft, over 99.9% of compromised accounts lacked MFA at the time of breach. The research also found that accounts lacking MFA were particularly vulnerable to password spraying and password replay attacks, especially when using legacy authentication protocols like SMTP, IMAP, and POP that do not support MFA.
  • According to recent analyses (for example, by NordPass and others in 2025), passwords such as “123456,” “password,” “qwerty,” “12345,” and “qwerty123” continue to dominate the top lists of most-used passwords.

Daily identity attacks

The following chart shows a sharp rise in daily identity attacks, climbing from around 300 million in 2022 to nearly 800 million by the first half of 2025. It highlights the growing scale of password and identity-based threats.

Image

Identity attack types

The pie chart shows that in 2025, 97% of identity attacks were password-based, primarily password spraying and brute-force attacks. This confirms that weak or stolen credentials remain the top target for attackers.

Image

MFA adoption growth

The line graph shows steady growth in MFA adoption among Microsoft enterprise customers since 2014, yet as of 2024, 59% of accounts still lack MFA protection.

Image

Final thoughts

Attackers spray credentials across your user base like rain against windows. Most attempts roll off harmlessly, but they only need one weak seal to flood in. The beauty of the attack, from their perspective, is its simplicity: low effort, high return, and nearly invisible until damage is done. Do not be the weak seal. Do not let a single compromised credential unravel months of security investments. Password spraying succeeds precisely because it does not look like an attack, until it is too late. Detect the spray early, shut the entry points, and keep the flood at bay.

FAQs

Share on

Published: Jun 22, 2026

Darryl baker headshot

Darryl Baker

Senior Staff Security Researcher

Darryl G. Baker is a Senior Staff Security Researcher at Netwrix and a recognized authority in Identity and Active Directory security. With over a decade of identity systems experience, he has led enterprise security assessments, identity security trainings, and threat emulations focused on Active Directory, Entra ID, and Azure environments. Darryl has delivered highly rated trainings and demos at BlueTeamCon, BSidesCT, The Experts Conference, and Wild Wild West Hackin’ Fest. He’s the architect behind numerous hands on attack emulation labs—leveraging current red team and blue team tools to help defenders master everything from attack path analysis to threat hunting. In his sessions, Darryl blends deep technical insight with real world case studies, empowering blue team professionals to strengthen their identity security posture and defend against evolving adversary techniques.

View related cybersecurity attacks

Abusing Entra ID Application Permissions – How It Works and Defense Strategies

AdminSDHolder Modification – How It Works and Defense Strategies

AS-REP Roasting Attack - How It Works and Defense Strategies

Hafnium Attack - How It Works and Defense Strategies

DCSync Attacks Explained: Threat to Active Directory Security

gMSA exploitation attacks and Golden gMSA attacks explained

Ultimate guide to Golden SAML attacks

What Is a Golden Ticket Attack? How It Works, Detection and Prevention

DCShadow Attack – How It Works, Real-World Examples & Defense Strategies

ChatGPT Prompt Injection: Understanding Risks, Examples & Prevention

NTDS.dit extraction attacks explained

Kerberoasting Attack – How It Works and Defense Strategies

Understanding Pass-the-Hash (PtH) attacks

Pass-the-Ticket Attack Explained: Risks, Examples & Defense Strategies

Plaintext Password Extraction explained: Risks, examples & prevention

Zerologon Vulnerability Explained: Risks, Exploits and Mitigation

A complete guide to ransomware attacks

Skeleton Key attack: How it works and how to detect it

Lateral Movement: What Is It, How It Works And Preventions

Man-in-the-Middle (MITM) Attacks: What They Are & How to Prevent Them

Why Is PowerShell So Popular for Attackers?

4 Service Account Attacks and How to Protect Against Them

How to Prevent Malware Attacks from Impacting Your Business

What is Credential Stuffing?

Compromising SQL Server with PowerUpSQL

What Are Mousejacking Attacks, and How to Defend Against Them

Stealing Credentials with a Security Support Provider (SSP)

Rainbow Table Attacks: How They Work and How to Defend Against Them

A Comprehensive Look into Password Attacks and How to Stop Them

LDAP Reconnaissance

Bypassing MFA with the Pass-the-Cookie Attack

Silver Ticket Attack