Identity Attacks Guide

Password Spray Attacks

A password spray attack is a quiet account takeover technique: instead of trying thousands of passwords against one account, attackers try a small set of common passwords across many accounts. For a 20-person office, that might mean every mailbox receives one or two attempts every few hours rather than one account being hammered until it locks.

This matters because small businesses often have Microsoft 365 as the front door to email, files, invoicing, calendars, and client communication. A single weak password can become a mailbox compromise, invoice redirection, or internal phishing campaign. The goal is not to scare staff into impossible password rules; it is to close the predictable gaps attackers rely on.

Estimated reading time
8 minutes
Primary systems
Microsoft 365 and other cloud sign-ins
Who this guide is for
Small-business owners, office managers, clinics, law firms, accounting firms, consultants, and IT decision-makers with 5-50 employees.
Last reviewed
April 2026

What it means

Password spraying is different from a normal brute-force attack. A brute-force attack focuses on one user and tries many password combinations. Password spraying reverses that pattern: attackers choose passwords that people commonly use, then test those passwords against a broad list of usernames.

The method is designed to avoid obvious lockouts. If your policy locks an account after ten bad attempts, an attacker may only try one password per account, wait, then try again later. The activity can look like background noise unless someone reviews sign-in logs across all users instead of only one mailbox.

How it affects small businesses

Professional offices usually have public staff directories, predictable email formats, and users who sign in from home, mobile devices, and client sites. That makes username discovery easy and makes unusual sign-in patterns harder to notice without centralized logging.

In a law firm or accounting office, one compromised mailbox can expose client conversations, tax documents, closing instructions, or payment discussions. In a clinic, it can disrupt scheduling and patient communication. The business impact is usually operational first: lost trust, urgent password resets, payment verification calls, and time spent reconstructing what the account accessed.

Mailbox access

Attackers may read mail, search for invoices, and learn who approves payments.

Internal phishing

A compromised staff account is more believable than an outside sender.

Cloud data exposure

If the account has OneDrive, SharePoint, or Teams access, email is not the only concern.

How the attack usually starts

Password spray usually starts with a list of email addresses and a short list of common passwords. The email addresses may come from your website, LinkedIn, old breach data, public directories, or predictable formats like first initial plus last name.

Instead of hammering one account, the attacker tries one password across many users, waits, then tries another. This slow pattern is meant to avoid obvious lockouts and blend into normal failed sign-in noise.

Public usernames

Staff names, role mailboxes, and predictable email formats make target lists easy to build.

Common passwords

Seasonal passwords, company-name variants, and reused passwords are the usual first guesses.

Legacy clients

Older authentication paths can make password-only attempts more useful to attackers.

What attackers are trying to achieve

Find one weak account

The attacker only needs one mailbox or cloud account to start reading email and testing access.

Avoid lockouts

Low-and-slow attempts are designed to stay below per-account lockout thresholds.

Use the account for follow-on fraud

A successful login can lead to internal phishing, invoice review, or attempts to reach SharePoint and Teams.

What it looks like in a real small business

A 22-person accounting firm notices nothing unusual during the day. Overnight, Microsoft 365 records failed sign-ins against almost every user from several hosting-provider IP addresses. No one account has enough failures to trigger concern on its own.

One junior mailbox eventually has a successful sign-in because the password was reused from an older service. The attacker searches for client names and invoices, then sends a phishing email to two internal users from the real mailbox. The issue is caught because the tenant has MFA coverage gaps and sign-in logs are reviewed after the unusual pattern appears.

Common warning signs

Many failed logins across different users

The pattern matters more than any single account. Look for repeated failures spread across the tenant.

Attempts from unfamiliar countries, networks, or hosting providers

Sign-ins from locations where your staff do not work deserve review, especially when they target several accounts.

Impossible travel or rapid location changes

A user appearing in the GTA and then another country within minutes may indicate stolen credentials or automated attempts.

Repeated failures followed by a successful sign-in

A successful login after spray activity should be treated as a priority investigation item.

Signals to check

Microsoft 365 sign-in logs

Filter for repeated failures across many users, unfamiliar countries, and legacy client apps.

Smart lockout and risk events

Review accounts with lockout events, impossible travel, unfamiliar sign-in properties, or risky sign-in flags.

Successful login after failures

Prioritize any account where spray activity is followed by a successful authentication.

Legacy authentication usage

Check POP, IMAP, SMTP AUTH, and older clients because they may weaken your MFA posture.

What to do first

Confirm whether any login succeeded

Do not stop at failed attempts. Identify successful sign-ins from the same time window, source networks, or client apps.

Reset and revoke affected accounts

For any suspicious success, reset the password, revoke sessions, and review MFA methods.

Check mailbox rules

Look for forwarding, hidden rules, and unusual sent mail on accounts that may have been accessed.

Tighten MFA and legacy auth controls

Close obvious gaps before the next spray cycle starts.

How to reduce the risk

Require MFA for all users

MFA prevents a guessed password from being enough on its own. Prioritize admins, finance, partners, and shared workflows first if rollout must be staged.

Use Conditional Access where licensing allows

Conditional Access can require MFA based on risk, location, device compliance, or user group, making enforcement more practical for small teams.

Block legacy authentication

POP, IMAP, and older protocols may not enforce modern MFA properly. Blocking them removes a common bypass path.

Review sign-in logs regularly

Microsoft 365 sign-in logs show failed attempts, locations, client apps, and risk signals that help identify spray patterns.

Use smart lockout and a sensible password policy

Avoid password rules that encourage predictable patterns. Combine length, banned password lists, lockout protections, and MFA.

Common mistakes

Only reviewing one user at a time

Password spray is a tenant-wide pattern. Looking at one account hides the signal.

Ignoring failed login noise

A few failures per user can be meaningful when the same pattern hits the whole office.

Leaving legacy authentication enabled

Password-only protocols can undermine an otherwise reasonable MFA rollout.

Using predictable password rules

Forced complexity often creates seasonal patterns that attackers already test.

CtrlShift IT review checklist

In a security risk review, we focus on the operational checks that show whether the control is actually working for a small business, not just whether a setting exists.

Tenant-wide failed sign-in pattern

We review failed and successful sign-ins by user, IP, geography, user agent, and client app.

MFA and Conditional Access coverage

We confirm every human account is covered and exceptions are documented and monitored.

Legacy authentication exposure

We identify POP, IMAP, SMTP AUTH, and older clients that should be disabled or replaced.

Mailbox compromise indicators

We inspect rules, forwarding, delegated access, sent mail, and suspicious session history.

Password and lockout policy fit

We check whether password guidance, banned passwords, and lockout settings fit the business.

FAQ

Can MFA stop password spray attacks?

MFA usually prevents a guessed password from being enough to access the account. It does not stop the spray attempts themselves, so sign-in logging, Conditional Access, lockout protections, and legacy authentication blocking still matter.

How do I know if my tenant is being sprayed?

Look for failed sign-ins spread across many users, repeated source networks, unfamiliar geographies, and attempts against legacy client apps. The pattern is often visible only when you review the tenant as a whole.

Is password spray the same as brute force?

No. Brute force usually tries many passwords against one account. Password spray tries a small number of common passwords across many accounts to avoid obvious lockouts.

Should we force everyone to change passwords after a spray?

Not automatically. First confirm whether any account had a suspicious successful sign-in. Reset affected accounts, revoke sessions, close MFA gaps, and review mailbox rules before making broad changes.

MFA rollout for Microsoft 365 Conditional Access policies for small business Microsoft 365 security checklist Microsoft 365 backup for small business Phishing and email threat defense Token theft attacks Legacy authentication risk All small business cybersecurity guides