ADFS Password Spray - Single IP Targeting Multiple Accounts
02 ADFS Password Spray Single IP
Query
let SprayErrors = dynamic(["50126", "50034", "50053", "396083"]);
ADFSSignInLogs
| where TimeGenerated > ago(1d)
| extend ErrorCode = tostring(ResultType)
| where ErrorCode in (SprayErrors)
| summarize
TargetCount = dcount(UserPrincipalName),
Targets = make_set(UserPrincipalName, 30),
FailCount = count(),
ErrorCodes = make_set(ErrorCode),
UserAgents = make_set(UserAgent),
Countries = make_set(Location),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by IPAddress
| where TargetCount > 10
| order by TargetCount descExplanation
This query is designed to detect potential password spray attacks targeting Active Directory Federation Services (ADFS). Here's a simplified breakdown of what it does:
-
Purpose: The query identifies instances where a single IP address is causing multiple credential errors (like invalid passwords or locked accounts) across more than 10 different ADFS accounts within a 24-hour period. This pattern is indicative of a password spray attack, where an attacker tries common passwords across many accounts to avoid triggering lockouts.
-
Severity and Techniques: The severity of this detection is marked as "High," and it aligns with the MITRE ATT&CK technique T1110, which involves brute force attacks like password spraying.
-
Data Source: It uses data from Azure Active Directory, specifically the ADFSSignInLogs, to find these patterns.
-
Query Logic:
- It looks at sign-in logs from the past day.
- Filters for specific error codes that indicate credential failures.
- Summarizes the data by counting distinct user accounts targeted by each IP address.
- Checks if an IP address has targeted more than 10 accounts.
- Orders the results by the number of accounts targeted.
-
Alerting: If the query finds any IP addresses meeting these criteria, it generates an alert. The alert includes details like the number of accounts targeted and the number of failed attempts, suggesting a possible password spray attack.
-
Incident Management: The system is configured to create an incident for each alert, grouping alerts by IP address to manage them efficiently.
Overall, this query helps security teams identify and respond to stealthy password spray attacks on ADFS systems by monitoring for suspicious login patterns from single IP addresses.
Details

David Alonso
Released: March 24, 2026
Tables
Keywords
Operators
Severity
HighTactics
MITRE Techniques
Frequency: 4h
Period: 1d