Password spraying: 97% of attacks don’t hack—they just log in
Apr 6, 2026
Microsoft just dropped their latest critical infrastructure threat guidance along with their latest Digital Defense Report.
And if you read between the lines, there’s a very clear story:
Attackers aren’t smashing windows anymore.
They’re walking in the front door… quietly… with your credentials.
Let me say that again.
They’re logging in. Not breaking in.
Password spray: the world’s most boring (and effective) attack
Password spraying sounds almost… harmless.
It’s not.
- Try common passwords across lots of accounts.
- Stay under lockout thresholds.
- Wait for one successful login.
That’s it. No zero-days. No Hollywood hacking montage. No Mission Impossible music.
Just patience.
And it works. A lot.
If you’re hearing numbers like “97% of attacks start this way”, that’s not a rounding error. That’s facts we can’t ignore.
To make it concrete, Microsoft is saying two important things right now.
From Microsoft Digital Defense Report
97% of identity attacks were password spray attacks.
That little box says it all.
That’s right.
Even as tactics evolve, attackers are still winning with weak and overused passwords.
Take a minute and read Microsoft’s guidance and report for the full context. Then come back here when finished.
Because you can spend all day talking about advanced threats… while attackers keep walking in the front door.
You should go passwordless.
Yes. You should.
FIDO2. Windows Hello. Biometrics. The whole thing.
That’s the destination.
But let’s be honest with ourselves for a second…
Your organization isn’t there.
You’ve got legacy apps. VPN dependencies. Service accounts. And users who still type “Summer2024!”.
So now what?
Is it the right thing to do to merely ignore reality until the “passwordless transformation” is complete?
That’s not a strategy. Or if it is a strategy, it’s a risky strategy at best. Honestly, it’s hoping and praying a problem doesn’t occur..
And as we’ve said before:
Hope isn’t a strategy. Policy is.
The gap nobody wants to talk about
There’s a giant, uncomfortable gap between where Microsoft wants you to be (passwordless utopia) and where you actually are (passwords everywhere).
That gap?
That’s where attackers live.
And Microsoft’s own data is basically saying:
“Hey… this is where the attacks are coming from.”
So the real question is:
What are you doing about it today?
Enter: “Why didn’t I already have this?” software
Imagine this:
A user tries to set a password.
Behind the scenes, your system checks it against a massive database of known compromised passwords.
If it’s weak, reused, or already burned?
Blocked. Immediately.
No debate. No exception. No “we’ll fix it later.”
That’s what Netwrix Password Policy Enforcer does.
It hooks directly into Active Directory and Hybrid password change events, checks those passwords in advance against Have I Been Pwned, and blocks those compromised and/or weak passwords before they ever become a problem.
It works with what you already have—Active Directory and/or Entra ID hybrid environments—no rip and replace required.
This isn’t reinventing identity.
It’s making your existing identity system… actually enforceable.
Or as I like to say:
We don’t reinvent the wheel. We make the wheel rounder.
Block weak, reused, and compromised credentials with Active Directory password policy software. Download free trial
Why this matters more than ever
Go back to Microsoft’s point:
Attackers are establishing persistence. Sitting quietly. Waiting.
Password spray is often the first domino.
If they get in once—even with a low-privileged account—they don’t need fireworks.
They need time.
And from there, it’s lateral movement. Privilege escalation. Living-off-the-land techniques.
Game over… just slower.
The shift: from detection to prevention
Here’s the uncomfortable truth:
EDR detects after the fact. SIEM alerts after the fact. Incident response shows up after the fact.
Password spray prevention?
That’s before the fact.
That’s the difference between chasing attackers and stopping them at the door.
Or better yet… never letting them find a door that works.
Bridge the gap. Don’t wait for perfection.
You already know where you want to go.
Passwordless. Phishing-resistant. Modern identity.
But until then?
You’ve got passwords. Deal with it.
Block compromised passwords. Enforce strong policy. Remove the low-hanging fruit attackers rely on.
Because the worst headline isn’t:
“Company breached by advanced nation-state actor”
It’s:
“Company breached… because of a weak password they could have prevented.”
Final thought
Microsoft just gave you the anchoring document.
The data is there. The pattern is obvious.
97% of attacks are coming in through the same front door.
So here’s the layup.
You know you should be passwordless. You’re not.
You’ve got passwords. And likely will for … a while. So, let’s just deal with it.
Use Netwrix Password Policy Enforcer to shut down password spray attacks.
Bridge the gap between what you have and where you want to go.
And don’t be in the newspapers because you could have done something… and didn’t.
Share on
Learn More
About the author
Jeremy Moskowitz
Vice President of Product Management (Endpoint Products)
Jeremy Moskowitz is a recognized expert in the computer and network security industry. Co-founder and CTO of PolicyPak Software (now part of Netwrix), he is also a 17-time Microsoft MVP in Group Policy, Enterprise Mobility and MDM. Jeremy has authored several best-selling books, including “Group Policy: Fundamentals, Security, and the Managed Desktop” and “MDM: Fundamentals, Security, and the Modern Desktop.” In addition, he is a sought-after speaker on topics such as desktop settings management, and founder of MDMandGPanswers.com.