Back to Resources
Industry Insights
23rd March, 2026
12 min read

Password Spray Response: Detection Signals + Automation Steps

Password spray attacks are designed to evade detection. They move slowly, spread across many accounts, and often fly under traditional alert thresholds. This guide covers the detection signals that matter, the response workflow that stops spray attacks before credential compromise, and how to automate containment without locking out legitimate users.

What Makes Password Spray Different

Unlike brute-force attacks that hammer a single account with thousands of password attempts, password spray attacks take a different approach: they try a small number of common passwords against many accounts simultaneously.

CharacteristicBrute ForcePassword Spray
TargetSingle accountMany accounts
Password attemptsThousands per account1-3 per account
SpeedFast, aggressiveSlow, distributed
Lockout triggerAlmost alwaysRarely (stays under threshold)
Detection difficultyEasyHard without correlation

Why This Matters

Password spray attacks are specifically designed to stay under lockout thresholds. If your detection relies on "5 failed logins in 5 minutes," spray attacks will never trigger it. You need correlation-based detection that looks across accounts, not within them.

Detection Signals That Matter

Effective password spray detection requires correlating signals across multiple accounts and time windows. Here are the signals that reliably indicate spray activity:

1

High Volume of Failed Authentications from Single IP

Multiple accounts receiving failed authentication attempts from the same source IP within a short window.

Threshold: 10+ unique accounts with failed auth from same IP in 10 minutes

2

Identical Error Codes Across Accounts

Spray attacks often produce identical authentication error codes (like AADSTS50126 in Entra ID) across many accounts simultaneously.

Look for: AADSTS50126 (invalid password), AADSTS50053 (locked out), AADSTS50057 (disabled account)

3

Legacy Protocol Usage

Attackers often use legacy authentication protocols (IMAP, POP3, SMTP) that bypass MFA. Sudden spikes in legacy auth failures are a strong spray indicator.

Client apps to monitor: Exchange ActiveSync, IMAP4, POP3, SMTP AUTH, Other clients

4

Suspicious User Agent Strings

Spray tools often use distinctive or outdated user agent strings. Watch for unusual patterns that don't match your normal traffic.

Red flags: Python-urllib, curl, empty user agents, very old browser versions

5

Geographic Anomalies

Failed authentications from unusual geographies, especially combined with other signals, indicate spray activity from external threat actors.

Correlate: Source country + failed auth volume + time of day

6

Sudden Success After Pattern of Failures

The most critical signal: a successful authentication immediately following the spray pattern indicates a compromised account.

CRITICAL: Success from spray IP/pattern = immediate containment required

Detection Confidence Matrix

Individual signals have varying confidence levels. Combining multiple signals increases detection accuracy and reduces false positives.

Signal CombinationConfidenceRecommended Action
High failed auth volume from single IPMediumMonitor, enrich with threat intel
+ Legacy protocol usageHighBlock IP, alert SOC
+ Suspicious user agentHighBlock IP, alert SOC
+ Geographic anomalyVery HighBlock IP, force MFA on targeted accounts
+ Successful auth in patternCriticalImmediate account containment

Automated Response Workflow

Password spray response has two distinct tracks: blocking the attack source and containing any compromised accounts. Both should run in parallel.

Track 1: Block Attack Source

1
Identify source IP(s)Auto

Extract all IPs associated with the spray pattern

2
Enrich with threat intelligenceAuto

Check IP reputation, ASN, known malicious indicators

3
Add to Conditional Access block listAuto

Block IP at identity layer (Entra ID Named Locations)

4
Block at network perimeterAuto

Add to firewall/WAF blocklist if applicable

5
Document IOCsAuto

Log IPs, user agents, timing patterns for future correlation

Track 2: Contain Compromised Accounts

Only triggered if successful authentication is detected within the spray pattern.

1
Revoke all sessionsAuto

Invalidate refresh tokens and active sessions immediately

2
Force password resetAuto

Require password change on next sign-in

3
Require MFA re-registrationHuman

Clear existing MFA methods, force re-enrollment

May need human approval

4
Review recent activityAuto

Check for inbox rules, OAuth apps, mailbox forwarding

5
Remove suspicious artifactsHuman

Delete malicious inbox rules, revoke OAuth grants

Requires investigation

6
Notify user and managerAuto

Inform user of compromise and required actions

What to Automate vs. Human Review

Not every password spray response action should be fully automated. Here's guidance on where automation adds value without creating risk.

Safe to Fully Automate

  • Block source IP at identity layer
  • Revoke sessions for compromised accounts
  • Force password reset
  • Enrich IPs with threat intelligence
  • Notify user and SOC
  • Log and document IOCs

Requires Human Approval

  • Force MFA re-registration (disrupts user)
  • Disable account entirely
  • Remove OAuth app consents
  • Delete inbox rules (may be legitimate)
  • Block IP ranges (may affect legitimate users)
  • Escalate to executive accounts

Microsoft Entra ID Detection Reference

For organizations using Microsoft Entra ID (Azure AD), these are the specific log sources and detection signals to monitor.

Sign-in Logs to Monitor

  • Non-interactive sign-ins - Where most spray attempts appear
  • Service principal sign-ins - Application-based spray attempts
  • Risky sign-ins report - Built-in Identity Protection signals

Key Error Codes

CodeMeaningSpray Indicator
AADSTS50126Invalid username or passwordPrimary spray signal
AADSTS50053Account lockedSpray exceeded lockout threshold
AADSTS50057Disabled accountSpray hitting disabled accounts
AADSTS50034User doesn't existSpray with enumerated usernames
AADSTS50076MFA requiredPassword correct, MFA blocked

Entra ID Identity Protection Risk Detections

  • Password spray - Built-in detection (medium confidence)
  • Unfamiliar sign-in properties - Anomalous login characteristics
  • Anonymous IP address - Sign-in from VPN/Tor
  • Atypical travel - Impossible travel correlation

Common Detection Mistakes

Relying only on per-account failed login thresholds

Problem: Spray attacks stay under per-account limits by design

Fix: Correlate failed logins across accounts from the same source

Ignoring non-interactive sign-in logs

Problem: Most spray attacks target non-interactive endpoints

Fix: Monitor all sign-in log types, not just interactive

Blocking entire IP ranges reactively

Problem: May block legitimate users on shared infrastructure

Fix: Block specific IPs, use Conditional Access for broader controls

Not checking for successful auth in spray pattern

Problem: Missing the actual compromise among the noise

Fix: Always check for successful auth from spray source IPs

Treating all spray detections equally

Problem: Wasting time on low-confidence detections

Fix: Use signal correlation to prioritize high-confidence detections

Automate Password Spray Response with BitLyft AIR

BitLyft AIR correlates password spray signals across your identity infrastructure and executes containment automatically—blocking attack sources and containing compromised accounts in seconds.

See Automated Spray Response in Action

Related Articles

Impossible Travel and Risky Sign-Ins: Automated Triage

Reduce false positives by 90%+ and respond to real identity threats in seconds.

Microsoft Entra ID Account Takeover Response Playbook

Complete playbook for containing and remediating compromised Entra ID accounts.