Attacker in password sprayone common password(e.g. Yaz2026!) tries it on hundreds of accounts. Because the attempts per user are low, account locking will not be triggered.
symptoms
- Different from same source IP
TargetUserNamewith 4625 - Dozens of unsuccessful sessions in a short time, no successful sessions
- Usually via VPN or OWA
SIEM rule logic
Same source IP in 5 minute window → 10+ different usernames + failed auth = high priority alarm. at OxiSec password_spray The correlation pattern turns this chain into an incident.
Intervention
Block source IP, place affected accounts on forced password reset, enable MFA.