Welcome to the first installment of a series of blog articles that delve into the modern techniques and security controls surrounding password spraying. This series is a follow-up to my presentation, "What the Hell is Azure AD Smart Lockout?" and will explore the current techniques, tactics, and procedures (TTPs) for password spraying, share my research findings, and discuss industry observations on what can change to support these practices better. While I don’t plan on releasing specific tools throughout this process, we’ll see where the journey takes us.

The Evolution of Password Spraying

Password spraying has long been the bread and butter for many attackers looking to gain an initial foothold in an organization. As TheTechromancer aptly put it:

Classically, password spraying has been the single lowest-effort and highest-yield technique for gaining an initial foothold in an organization. This made it pretty fun. You start by gathering up a big list of emails, then you kick off a spray with a stupid password like "Spring2022!" and spend the next ten minutes getting disproportionately large and debatably undeserved hits of dopamine as you discover just how many employees are using that stupid password.
card-image

blacklanternsecurity / TREVORspray

TREVORspray is a modular password sprayer with threading, clever proxying, loot modules, and more! - blacklanternsecurity/TREVORspray


In the past, attackers targeted on-premise solutions like OWA, RDP Web, ADFS, and Skype for Business. Over the years, significant work has been done to exploit these self-hosted platforms. However, as organizations migrate to the cloud, these self-hosted solutions are becoming less common due to their vulnerabilities and ease of abuse. Today, most services are hosted in the cloud as Software as a Service (SaaS) applications, utilizing protocols like OAuth 2.0 and single sign-on (SSO). This shift brings new challenges and opportunities for security controls integrated into authentication processes.

Spraying Microsoft Services Today

Password-spraying tools always pop up, and while I won’t dive in on them in this article, it's crucial to understand what the community considers essential features for making a password-spraying tool effective or ineffective. Specifically, most if not all of them focus on embedded evasion features, which include:

  • Source IP Rotation: Rotating the IP addresses used in attacks to avoid detection.
  • Shuffling of Authentication Endpoints and OAuth Values: Randomizing these values to evade security mechanisms.
  • Use of Obscure Authentication Endpoints: Tools leverage obscure authentication endpoints not commonly used by end-users.
  • Time Frame Restrictions: Limiting attacks to working hours or other specified time periods.
  • Randomization: Introducing randomness in the order of usernames and password combinations during attacks.
  • Delays and Jitters: Implementing delays between login attempts and rounds of sprays to mimic legitimate user behavior.
  • Username Validation: Verifying the legitimacy of usernames before conducting password spraying.

What is Entra Smart Lockout, really?

In the past, attackers only had to worry about local Active Directory lockout policies. However, password spraying has become more challenging with the advent of AADSTS50053, aka Entra Smart Lockout.

card-image

Protect user accounts from attacks with Microsoft Entra smart lockout

Learn how Microsoft Entra smart lockout helps protect your organization from brute-force attacks that try to guess user passwords



Smart Lockout is designed to thwart password spraying attempts, similar to ADFS extranet lockout and extranet smart lockout which could be a whole article in itself mind you.

card-image

AD FS Extranet Lockout and Extranet Smart Lockout Overview

Learn more about AD FS Extranet Lockout and Extranet Smart Lockout to protect your users from experiencing extranet account lockout from malicious activity.

icon-info:

We’ve never seen anyone actually explore ADFS extranet lockout publicly from an offensive perspective. Worth some research?


So what does Microsoft say Entra Smart Lockout is? A quick summary to prevent you from having to read Microsoft’s historically…questionable documentation is below.

  • Entra Smart lockout has a default lockout threshold
    • Azure Public and Microsoft Azure operated by 21Vianet: Locks accounts after 10 failed sign-in attempts.
    • Azure US Government: Locks accounts after 3 failed sign-in attempts.
  • There are lockout periods similar to on-premise Active Directory environments
    • Initial lockout period is one minute, increasing with subsequent failed attempts.
    • Tracks the last three bad password hashes to prevent repeated lockouts for the same bad password.
  • Separate, undisclosed lockout counters exist based on the familiarity of the sign-in location
    • Uses location-based analysis to distinguish between familiar and unfamiliar sign-ins.
    • Separate lockout counters for familiar and unfamiliar locations.
  • Pay to play for customization
    • Requires Microsoft Entra ID P1 or higher licenses.
    • Administrators can set custom lockout thresholds and durations in the Microsoft Entra admin center.
  • The lockout timer can be reset using Self-Service Password Reset (SSPR):
    • Users can unlock accounts via SSPR, either by resetting their password or confirming they know their password, with varying lockout timer resets.

At the bottom of the article, however, we also spot this:

In addition to Smart lockout, Microsoft Entra ID also protects against attacks by analyzing signals including IP traffic and identifying anomalous behavior. Microsoft Entra ID blocks these malicious sign-ins by default and returns AADSTS50053 - IdsLocked error code, regardless of the password validity.
card-image

Prevent attacks using smart lockout - Microsoft Entra ID

Learn how Microsoft Entra smart lockout helps protect your organization from brute-force attacks that try to guess user passwords.


The error code returned to indicate that Entra Smart Lockout has been triggered for a specific user is AADSTS50053 and it shows up quite frequently in password spraying tooling on the market. This error code, as described above can mean, however, that either you triggered a true account lockout due to too many attempts in a specific period OR signals analyzed via your login attempt indicated to Microsoft that password spraying is happening.

With this being the case, if we were able to circumvent this signals based detection we would actually only be going up against a lockout policy that is much more permissive than what we typically encounter in company Active Directory environments. Wouldn’t that be awesome!?

In summary, Entra Smart Lockout, expands on the idea of Extranet Lockout, to not only analyze login patterns but also block sign-ins based on various signals, including IP traffic and anomalous behavior, regardless of password validity according to Microsofts documentation. This is what we are all trying to beat.

Hunting for a needle in a needle stack

Microsoft's documentation mentions "default protections," which include analyzing signals and identifying anomalous behavior to block malicious sign-ins, returning the AADSTS50053 error code.

AADSTS50053
This error can result from two different reasons:
  • IdsLocked - The account is locked because the user tried to sign in too many times with an incorrect user ID or password. The user is blocked due to repeated sign-in attempts. See Remediate risks and unblock users.
  • Or, sign-in was blocked because it came from an IP address with malicious activity.
card-image

Microsoft Entra authentication & authorization error codes - Microsoft identity platform

Learn about the AADSTS error codes that are returned from the Microsoft Entra security token service (STS).


Based on my research, it appears that Microsoft’s Smart Lockout started as an iteration of AD FS extranet smart lockout. Over time, it has evolved, incorporating insights from machine learning models to detect password-spraying techniques. After a little digging, I was able to find the following content from Microsoft published in the past five years or so:

Hunting for Low and Slow Password Sprays Using Machine Learning

An article from @AmritpalSingh & @TomMcElroy on using data science to detect password spraying techniques at scale (2022).

card-image

Hunting for Low and Slow Password Sprays Using Machine Learning

Bring your sign-in data and use our new machine learning Sentinel notebook to surface patterns of anomalous activity, at scale, using Spark.


The science behind Azure Active Directory Identity Protection | OD294

A video from Microsoft Ignite discussing Azure Identity protection, but more importantly the tech behind what was at the time, Azure Smart Lockout (2020).

card-image

The science behind Azure Active Directory Identity Protection | OD294

Azure Active Directory Identity Protection detects and prevents identity attacks in cloud environments and helps admins understand their risk standing with insights and reporting, enabling risk-based policies for a hands-free security experience. At the core of Identity Protection is its risk engine, which uses ML, UEBA, and anomaly detection to detect your compromised users. Come learn about the science that powers Identity Protection and how it is taking security intelligence to the next level.


Both sources highlight the use of supervised machine learning models to analyze features and behaviors indicative of password-spraying attacks.

A Supervised Learning Model

The integration of machine learning into Smart Lockout involves supervised learning models that analyze user behavior to identify anomalies. These models are trained to detect patterns that deviate from normal behavior, similar to the way Endpoint Detection and Response (EDR) systems operate. By understanding these patterns, Microsoft can effectively block password-spraying attempts.

Key Features of Smart Lockout Detection

Microsoft likely uses several key features to detect password spraying at scale:

  • Analyzing IP traffic for unusual patterns.
  • Identifying deviations from normal user behavior.
  • Comparing behavior against global and specific organizational baselines.

A sneak peek at this can be found in the article listed above from Amritpal Singh.

While the article itself is supposed to be for individual organizations to track password spraying, I think we can all presume that the methodology here is quite close to what Microsoft was using under the hood at the time the article was written. Of course, the model has likely evolved since making the data gleamed in our next article only a small piece of the puzzle.

Conclusion

As a parting gift, I have created a GitHub repository titled Awesome Password Spraying for everyone to explore and contribute to.

card-image

puzzlepeaches / awesome-password-spraying Public

Everything and anything related to password spraying - puzzlepeaches/awesome-password-spraying


The goal here is to have a one stop shop for everyone to go review what the tooling landscape looks like today. I encourage you all to take a look at submit PRs where you see fit. I will use this as a jumping off point for tool comparisons in the follow up piece.

In our next article, we will delve deeper into the data science behind Microsoft Entra Smart Lockout, potential attacks against supervised machine learning models, and a comparison of existing tools and their evasion features.