Unmasking a slow and steady password spray attack
a year ago
- #password-spray-attack
- #Microsoft-Azure
- #cybersecurity
- Attackers used a slow and steady password spray attack, targeting 24 users in a week with no more than 2 attempts per user to avoid detection.
- The attack was identified by analyzing tenant-wide activity rather than individual user timelines, revealing patterns across multiple users.
- Attackers used IPs from the range 2001:0470:c8e0::/48 to evade detection, hiding in plain sight within data center traffic.
- The key takeaway is the importance of examining tenant-wide activity logs creatively to uncover hidden attack patterns.