What Is Password Spraying and How Does This Attack Work?

Password spraying is a persistent risk in large identity environments because it can give attackers initial access to corporate systems. It remains relevant across enterprise environments because a single successful login can expose email, cloud services, and internal systems that depend on password-based authentication.

• Password spraying tests one password across many accounts to stay below per-account lockout thresholds.

• The attack remains effective because common, policy-compliant passwords still persist across enterprise environments.

• Multi-factor authentication (MFA) is one of the strongest controls, but coverage gaps and legacy protocol exceptions can still leave accounts exposed.

• Detection depends on monitoring unsuccessful login activity and identifying suspicious authentication patterns across many accounts.

Password spraying is a brute-force technique that tests a small set of common passwords against a large set of accounts.

As described in a CISA advisory, attackers avoid typical lockout thresholds by trying one common password across many accounts instead of many passwords against one account. If that password fails everywhere, they wait and try a different one. The attacker does not need to guess the right password for a specific person. They just need to find the one account, out of potentially thousands, where someone picked a password that matches their guess.

Password spraying defeats lockout controls through simple arithmetic: if the attacker submits only one attempt per account per reset window, no individual account ever reaches the failure threshold. The lockout counter resets before the next password is tried.

Account lockout policies are intended to help prevent passwords from being guessed after repeated failed login attempts on an account; password spraying works by spreading attempts across many accounts to avoid those lockout thresholds. It does not reliably catch a horizontal pattern where one password is quietly tested across an entire directory.

Password spraying works through a repeatable workflow that starts with username collection, moves through carefully paced login attempts, and turns any successful authentication into broader access.

Attackers may build username lists from public information, including employee names on LinkedIn profiles and company websites, before attempting password spraying.

Password selection is similarly methodical. Attackers choose passwords that satisfy the target organization's complexity requirements while being common enough to be in actual use. Seasonal patterns can also appear in weak passwords. CISA has warned about common passwords such as seasonal or organization-themed variants, for example 'Winter2019' or '[Company Name]@'.

The pacing of a spray campaign is what makes it operationally distinct from other brute force techniques. A common pattern involves making one authentication attempt per account across many accounts to avoid triggering lockout thresholds before trying additional passwords.

Some threat groups take this patience further, spreading authentication attempts over several days or weeks while rotating source IP addresses between requests using proxy services and cloud-hosted virtual machines.

A single successful login can become a foothold for broader access. Once attackers confirm a valid username-password pair, they move quickly to map directory relationships, escalate privileges, and pivot to additional accounts. When organizations detect and reset individual compromised passwords, sophisticated attackers may pivot to other accounts compromised during the same spray campaign to maintain access.

Password spraying differs from brute force and credential stuffing in what attackers start with and in the authentication patterns defenders need to catch.

• Brute Force: The attacker picks one account and tests many passwords. Requires only a target username.

• Password Spraying: One password is tested across many accounts simultaneously. Requires a username list and a small set of common passwords.

• Credential Stuffing: Known username-password pairs from previous breaches are replayed against new services. Requires real credentials from a prior breach.

Credential stuffing starts with a password already exposed in a prior breach, while password spraying guesses it based on human behavior patterns and organizational context.

Authentication systems should monitor for unusual login patterns.

• Brute Force: High-volume failed login events concentrated on a single account.

• Password Spraying: Failed login attempts spread across many accounts using one or more common passwords to avoid account lockouts. Detection often focuses on failed logins across multiple user accounts, sometimes from a single IP address and sometimes across multiple IP addresses.

• Credential Stuffing: Harder to distinguish from normal traffic because the credentials are correctly formatted and may be valid. The primary signal is unusual login volume from unexpected geographies or IP ranges.

Password spraying still succeeds because weak passwords, incomplete MFA coverage, and legacy protocol exceptions remain common in many environments.

Spray lists work because common passwords are genuinely in use across enterprise environments. The Verizon DBIR found that credential abuse accounted for 22% of breaches as an initial access vector, the single most common entry point. Password reuse compounds the risk: when users choose the same password for their corporate account and a personal service that later suffers a breach, that password becomes part of the attacker's spray list.

The seasonal password pattern is a direct product of forced periodic rotation. When users must change a password on a schedule, many default to a predictable formula built around time of year and a special character to satisfy complexity rules. As NIST SP 800-63B-4 notes, password complexity rules can create a false sense of security while encouraging predictable patterns that attackers can guess more easily.

MFA is one of the strongest defenses against password spraying because a correct password alone is not enough to complete authentication.

Many organizations still deploy MFA selectively, protecting primary login portals while leaving service accounts, legacy applications, and contractor accounts without a second factor. Threat actors have used weakly protected accounts as an initial foothold to gain broader access to email environments. Every account without MFA is an endpoint where a correct password grants full access.

Legacy authentication protocols can leave accounts exposed even when MFA is broadly deployed. Protocols like IMAP, POP3, and SMTP AUTH are common blind spots because they do not support MFA enforcement in the same way as modern authentication flows. ActiveSync is mentioned separately under related techniques rather than this password spraying technique itself. Attackers deliberately target these endpoints because a correct password alone grants access, regardless of MFA policies applied to the primary web login.

Real-world password spraying examples show that this technique remains a practical initial access method across sectors and countries.

APT29, attributed to Russia's Foreign Intelligence Service, used a spray attack to compromise a legacy non-production test tenant account at a major technology company. The breach ultimately gave the attackers access to senior leadership email. A CISA advisory documents the same actor expanding its targeting to aviation, education, law enforcement, and military organizations.

Russian state-sponsored and criminal cyber actors described in CISA advisory AA22-011A used distributed infrastructure to conduct password spray campaigns against multiple critical infrastructure sectors, including Defense Industrial Base, Healthcare and Public Health, and Energy sectors. The timing is deliberately slow, with campaigns designed to operate for extended periods without detection.

Reducing password spraying risk depends on detecting patterns across the whole identity environment and limiting the conditions that let a single password open access.

The signature of a spray attack is a pattern of failed authentications distributed across many accounts rather than concentrated on one. Because password spraying spreads login attempts across many accounts, monitoring that only looks for repeated failures on a single account may miss this pattern.

The detection logic that catches spraying counts failures across accounts within a time window: the same password attempted against multiple usernames, failures arriving from a single IP or a small set of IPs, or consistent user-agent strings across unrelated login attempts.

MFA is one of the most effective preventive controls against password spraying because it adds a second factor beyond the password.

Banned-password lists add a complementary layer. NIST SP 800-63B-4 requires that new passwords be checked against a blocklist that includes passwords from prior breach datasets, dictionary words, and context-specific terms like the organization's name. Disabling legacy authentication protocols that cannot support MFA is one of the most impactful steps an organization can take. IMAP, POP3, SMTP AUTH, and Exchange Web Services with basic authentication all represent endpoints where a correct password alone grants full access. Lockout policies still have a role, but they need careful tuning to balance attack resistance with legitimate user access.

Identity hygiene matters more than complexity rules because predictable password patterns are easier to spray than longer, less common passwords screened against known weak choices.

Complexity rules can create the illusion of security without addressing the structural weaknesses that spraying exploits. NIST SP 800-63B-4 now explicitly prohibits mandatory composition rules and forced periodic password rotation except when there is evidence of compromise. The standard instead requires longer minimum passwords, with one minimum for environments protected by MFA and a longer minimum for single-factor authentication.

Blocklist screening is a recommended control: verifiers should check new passwords against commonly used or compromised passwords, with additional checks such as dictionary or organization-specific terms left to implementer discretion rather than mandated as requirements. This approach directly counters the predictable patterns that complexity rules produce. Length-based requirements combined with breach-informed blocklists force users away from common formulas without pushing them toward predictable substitutions.

Password spraying succeeds by being quiet, patient, and aligned with the way people actually choose passwords. The most effective defense combines MFA on every authentication surface, banned-password lists informed by real breach data, monitoring that correlates failures across accounts rather than counting them in isolation, and the discipline to disable legacy protocols that bypass modern authentication.