For those unaware, Password Spraying is a type of brute force attack that attempts to access a large number of accounts (usernames) with a commonly used password before moving on to attempt a second password, and so on. Normally, many companies lock a user out after several failed login attempts (usually 3-5). Due to the nature of a password spraying attack, this method allows a malicious actor to remain undetected by avoiding quick or frequent account lockouts. Although the success rate per account is quite nominal, the attack is very difficult to detect. “This new machine learning detection yields a 100 percent increase in recall, meaning it detects twice the number of compromised accounts of the previous algorithm,” said Alex Weinert, Director of Identity Security at Microsoft. “It does this while maintaining the previous algorithm’s amazing 98 percent precision—meaning if this algorithm says an account fell to password spray, it’s almost certain that it did.” To detect password spray attacks, Microsoft previously built a heuristic detection, which helped the company identify the core failure in the system in their worldwide traffic. They were able to notify tenants of hundreds of thousands of attacks monthly (increased user risk) so they could protect their organizations. Now, Microsoft has improved the credential compromise detection engine for Azure AD Identity Protection customers by training a new supervised machine learning algorithm incorporating IP reputation, unfamiliar sign-in properties, and other deviations in account behavior to detect when a tenant is under attack from password spray. “This new machine learning detection yields a 100 percent increase in recall over the heuristic algorithm described above meaning it detects twice the number of compromised accounts of the previous algorithm. It does this while maintaining the previous algorithm’s amazing 98 percent precision—meaning if this algorithm says an account fell to password spray, it’s almost certain that it did,” Weinert added. The following screenshot provides a sample of the new risk detection:
The new password spray detection will be available soon to Azure AD Identity Protection customers, who can access the new risk detection reports in the portal and APIs for Identity Protection.