Password Spraying on Azure

Password spraying in Azure environments exploits the distributed nature of Microsoft's identity infrastructure. Attackers target Azure AD authentication endpoints with common passwords across many accounts, avoiding account lockouts by throttling requests. The Azure login flow involves multiple endpoints: login.microsoftonline.com for interactive auth, sts.windows.net for federated auth, and various regional endpoints.

The attack typically follows this Azure-specific pattern:

POST //oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded

grant_type=password&username=user@contoso.com&password=Summer2023&client_id=&scope=openid

Azure's authentication pipeline processes requests through multiple layers:

1. Front Door load balancer routes to regional auth services
2. Authentication service validates tenant, user existence
3. Password validation occurs in isolated authentication workers
4. Conditional Access policies apply (MFA, location, device compliance)
5. Token issuance if all checks pass

Attackers exploit Azure's federated authentication with on-premises ADFS servers. A common pattern:

POST /adfs/services/trust/2005/usernamemixed HTTP/1.1
Host: ad.contoso.com
Content-Type: application/soap+xml

<s:Envelope>
  <s:Body>
    <wsse:UsernameToken>
      <wsse:Username>user@contoso.com</wsse:Username>
      <wsse:Password>Summer2023</wsse:Password>
    </wsse:UsernameToken>
  </s:Body>
</s:Envelope>

Azure's intelligent authentication system logs these attempts with specific error codes. A successful password spray shows patterns like:

AADSTS50034: The user account does not exist in the  directory. Try again with a different username.

AADSTS50053: Your account has been locked because of too many failed sign-in attempts. Try again later.

AADSTS50126: Invalid username or password

Azure's geo-distributed auth infrastructure means attackers can rotate through different regional endpoints (US, EU, Asia) to evade rate limiting. The authentication telemetry captures:

• Client IP and ASN information
• Device information (browser, OS, client app)
• Authentication method and protocol
• Conditional Access evaluation results
• Risk level assessment from Microsoft's identity protection

Azure AD Connect synchronization can also be targeted. Attackers may attempt to synchronize with on-premises AD to enumerate accounts before spraying passwords.

Detecting password spraying in Azure requires monitoring multiple data sources and understanding Azure's authentication telemetry. Azure AD Sign-in logs provide the primary detection mechanism, accessible via Azure Portal, Microsoft Graph API, or Log Analytics workspace.

Key detection patterns in Azure AD logs:

// Query for suspicious authentication patterns
let startTime = ago(24h);
let endTime = now();
SigninLogs
| where TimeGenerated between (startTime..endTime)
| where ResultType == "50126" // Invalid username or password
| where IPAddress != "127.0.0.1" and IPAddress != "::1"
| summarize failed_attempts = count() by IPAddress, UserPrincipalName
| where failed_attempts > 10 // Threshold for investigation
| project IPAddress, UserPrincipalName, failed_attempts

Azure's Identity Protection provides risk-based detection with specific detections for password spray:

• Password spray attack: Multiple accounts targeted with common passwords
• Password spray attack on inactive accounts: Targets dormant accounts
• Password spray attack on federated accounts: Exploits ADFS or other federated auth

The Microsoft Graph API for Identity Protection:

GET https://graph.microsoft.com/v1.0/identityProtection/riskDetections?$filter=riskLevel eq 'high' and riskState eq 'active'

middleBrick's Azure-specific scanning detects password spraying vulnerabilities by:

1. Testing authentication endpoints with common password patterns
2. Analyzing response timing to detect throttling mechanisms
3. Checking for detailed error messages that aid attackers
4. Verifying MFA enforcement on sensitive endpoints
5. Scanning for legacy authentication protocols (SMTP, IMAP, POP3)

Azure Sentinel provides advanced detection using KQL queries:

// Advanced password spray detection
let timeframe = 1h;
let threshold = 20;
let commonPasswords = dynamic(["password", "123456", "qwerty", "admin", "welcome"]);
SigninLogs
| where ResultType == "50126"
| where ResultDescription has "Invalid username or password"
| summarize attempts = count() by IPAddress, tostring(split(UserPrincipalName, '@')[0])
| where attempts > threshold
| join kind=inner (SigninLogs
    | where ResultType == "50053" // Account locked
    | summarize locked = count() by IPAddress
) on IPAddress
| project IPAddress, Username, attempts, locked

Azure AD's smart lockout mechanism provides protection but can be bypassed by:

• Using different IP addresses
• Targeting different authentication endpoints
• Exploiting federated authentication where lockout policies differ
• Attacking during high-traffic periods when monitoring is less effective

Remediating password spraying in Azure requires a multi-layered approach using Azure's native security features. The foundation is Azure AD's built-in protections combined with conditional access policies.

Enable Azure AD Smart Lockout:

az ad tenant security-policy create --display-name "Password Spray Protection" \
    --state enabled \
    --lockout-duration 5m \
    --lockout-threshold 5 \
    --expiration-duration 1h

Configure Conditional Access policies to block legacy authentication:

# Azure CLI for Conditional Access
az identitysignins conditional-access policy create --display-name "Block Legacy Auth" \
    --state enabled \
    --conditions authentication-context "" \
        grant-controls-block \
        client-app-types-imap smtp pop pop3 exchange-activesync \
    --applications include-all \
    --users include-all

Implement MFA for all users, especially administrators:

# Enable MFA for all users
az ad user update --id "user@contoso.com" --stencil-mfa 1

# Require MFA for admin roles
az role assignment create --role "Global Administrator" \
    --assignee "admin@contoso.com" \
    --condition "mfa_required_for_signin"

middleBrick's remediation guidance for Azure password spraying includes:

1. Enable Azure AD Smart Lockout with appropriate thresholds
2. Configure Conditional Access to block legacy auth protocols
3. Implement MFA for all privileged accounts
4. Enable Identity Protection with automated responses
5. Monitor authentication logs with Azure Monitor alerts

Azure AD Connect security hardening:

# Configure AD Connect for secure sync
Import-Module ADSync
Set-ADSyncGlobalSettings -AllowedAuthenticationTypes @('PasswordHash', 'Certificate')
Set-ADSyncGlobalSettings -EnableCredentialCache $false

Implement Azure AD Identity Protection policies:

# Create risk-based policy
az identityprotection risk-policy create --display-name "High Risk Users" \
    --state enabled \
    --user-risk-level "high" \
    --access-type "block" \
    --days-till-password-change 1

Monitor and alert on suspicious authentication patterns:

# Azure Monitor alert for password spray
az monitor metrics alert create --name "Password Spray Alert" \
    --resource-group "SecurityAlerts" \
    --scopes "/subscriptions//resourceGroups//providers/Microsoft.AzureActiveDirectory/b2cDirectories/" \
    --condition "total sign-in failures with invalid credentials > 50 where operationType eq 'SignIn' and resultType eq '50126' in the last 1 hour" \
    --action "send email to security-team@contoso.com"

Additional hardening measures:

• Disable unused application permissions and service principals
• Implement just-in-time admin access with Azure AD Privileged Identity Management
• Use Azure Key Vault for credential storage instead of hardcoded secrets
• Regularly audit and remove stale service accounts