Password Spraying attack: What is it and how to stay protected?

• Password spraying is an attack technique that attempts to target a large number of usernames with a few known passwords or commonly used passwords.
• A study conducted by Proofpoint revealed that almost 60% of Microsoft Office 365 and G Suite users were targeted with IMAP-based password-spraying attacks.

Password spraying is an attack technique that attempts to target a large number of usernames with a few known passwords or commonly used passwords. Password spraying attack is also known as ‘reverse brute-force attack’ as it will reverse the attack technique by starting with the known password and trying it against a list of possible usernames.

Password spraying attacks usually target Single Sign-On (SSO) applications, cloud-based applications, and email applications.

How does Password Spraying attack work?

In this technique, attackers attempt a single commonly used password against multiple usernames before moving on to attempt the second password.

• Hackers initially collect multiple usernames using social engineering or other phishing methods.
• They then try a simple password such as password123, p@ssword, 12345678, etc against the list of usernames.
• It often happens that at least one of those users is using a simple password, therefore, via password spraying attack attackers can easily break into user accounts.

Examples of Password Spraying attack

Example 1 - Attackers leveraged Password Spraying attack to target Citrix

Citrix learned from FBI on March 6, 2019, that cybercriminals gained unauthorized access to Citrix internal network and downloaded business documents. FBI advised Citrix that the attackers might have used a tactic known as ‘password spraying’ to gain access to Citrix internal network.

Example 2 - Password spraying campaigns exploit IMAP

Attackers leveraging password spraying technique are exploiting Internet Message Access Protocol (IMAP) to break into companies’ cloud accounts.

Proofpoint conducted a six-month study that analyzed over 100,000 unauthorized logins across millions of monitored cloud user-accounts and found out that almost 60% of Microsoft Office 365 and G Suite users were targeted with IMAP-based password-spraying attacks. Of the 60%, 25% of targeted users were successfully breached.

The study also revealed that the majority of IMAP-based password spraying attacks originated in China (53%) followed by Brazil (39%), and the US (31%).

How to stay protected?

• Security experts recommend organizations using Office365 to disable IMAP and other legacy protocols in order to stay protected from IMAP-based password spraying attacks.
• It is always recommended to use strong, complex, lengthy, and unique passwords that are difficult to crack.
• It is best to use two-factor authentication while logging in to accounts.
• It is recommended to always log out after the session is complete.
• Experts recommend periodically rotating passwords and never reusing the same password across multiple accounts.