On January 12, 2024, Microsoft detected a password-spray attack that was determined to be performed by a nation-state actor, Midnight Blizzard, who are sponsored by the Russian government (Microsoft’s press release). Microsoft stated that the attackers were able to “access a very small percentage of Microsoft corporate email accounts… and exfiltrated some emails and attached documents.”
A password-spray attack is when a bad actor attempts to login via many usernames with common passwords. The usernames could be legitimate, generated via automation, or dictionaries of possible usernames could be purchased. The attempted passwords can also be purchased or generated.
How do we defend against password-spray attacks?
The solution is simple - Multi-Factor Authentication (MFA). MFA’s “birthday” is debatable, but it’s been around for about twenty years.
Some organizations prefer to use SMS-based authentication, but this form of defense can be compromised by an attack strategy called SIM swapping. An attacker registers the target user’s phone number with a different cellular carrier. Generally, the carrier will notice after a few minutes and disable the new SIM card, but this window of time can be sufficient to complete authentication before the carrier takes action.
A stronger form of MFA is called a Time-Based One-Time Password (TOTP). Authy and Google’s Authenticator are common choices for implementing MFA. While these options do add an extra layer of security to protect credentials, a phishing attack could still possibly circumvent this control by convincing a user to reveal a TOTP.
Hardware MFA tokens, such as Yubikeys, provide all of the protection that TOTP’s provide as well as make phishing attacks virtually impossible. The most recent Yubikeys, as of publishing this blog, cost between 50 and 75 dollars USD. If you have a large enterprise, this may seem like a significant expense, but there are two main points to consider:
- Per user, this is a one-time cost. There’s no subscription fee.
- The security significance that Yubikeys bring to your environment is worth the price.
Google published an excellent case study on the benefits of implementing hardware MFA. The data that they list in the study demonstrates a wide range of benefits, related to security and otherwise. Their rate of user support tickets and time spent authenticating drastically reduced because of hardware MFA’s simplicity for users.
What other ways can we defend against a password-spray attack?
In addition to MFA, your organization should implement a strong password policy that prohibits common passwords. This type of attack targets a wide range of accounts to try to circumvent account lockout processes, so bad actors depend on being able to find accounts with common passwords. Disallowing these weak passwords makes a password-spray attack much more difficult, strengthening your organization’s security posture.
Another defense strategy revolves around monitoring for suspicious behavior. Configure monitoring, or use third-party tools, to alert upon multiple failed login attempts from the same IP address, even across separate login accounts. Automated tooling that adds these IP addresses to a denylist is a great addition to your organization’s defense.
There will probably never be a surefire way to stop every kind of attack, but hardware MFA is affordable, simple, and significantly improves protection for credentials. Implementing MFA offers an essential layer of defense against unauthorized access. Though it may seem like a minor security measure, the security payoff is enormous.
To learn more about strengthening your company's security against bad actors, reach out to us, we'd love to help!