Microsoft Warns Of Rise In Password Spray Attacks Aimed At High Privilege Accounts

microsoft password spray news
If you thought being in the swanky C-suite of a major company kept you safe from hackers, think again. Those positions, among other high-ranking posts, are the latest targets in the ongoing infosec war between businesses and hackers. Many of us worry about getting our Amazon Prime account or our bank account hacked, but in reality, that's small fries compared to what these hackers could be pulling off. In a warning from Microsoft's Detection and Response Team (DART) there has been a massive increase over the past year in a particular vector attack known as password sprays. 

Password spray attacks are different than what we typically think of when it comes to 'hacking passwords'; most of the time what you think about is a straight "brute force" method where everything but the kitchen sink is thrown at a single account. The problem (for hackers anyway) is that it'll often lock out the user prompting a password reset; the good news is, that locks out the hacker as well. But things are a bit more methodical with these password spray attacks.

The password spray takes commonly used passwords and spams them at multiple accounts, a bit more insidious way of sneaking into someone's account. This is a bit safer for the hacker as it often just triggers a multi-factor authentication (MFA) request rather than just locking out account owners. Unless you don't have MFA set up then shame on you. But when the passwords finally match up with accounts, it's smooth sailing for the hacker.

The more important part of the warning from Microsoft DART is regarding who is being targeted. Hint—it's not the custodian or office administrator, it's the people with access to the money-making details. Those in positions with access to financials of any kind or any other confidential data for these companies are key targets. Because of this, Microsoft is recommending that everyone using a business account enable MFA if possible. And on second thought, EVERYONE who logs into ANYTHING that has their personal or financial data needs to be using MFA. This practice should now be as common as locking your home when you're away.