Query Details
16 Password Spray Non Interactive
Query
id: d1e7f9a0-b5c6-8d2e-3f4a-5b6c7d8e9f0a
name: Password Spray Attack via Non-Interactive Sign-Ins
version: 1.0.0
kind: Scheduled
description: |
Detects horizontal password spray attacks via non-interactive sign-ins where a single
source IP attempts authentication against many different user accounts using the same
common password guesses. The attacker targets many accounts to stay below per-account
lockout thresholds. Non-interactive spray is stealthy because it skips MFA prompts.
MITRE ATT&CK: T1110.003 (Password Spraying)
severity: High
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AADNonInteractiveUserSignInLogs
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- CredentialAccess
- InitialAccess
relevantTechniques:
- T1110
query: |
let SprayErrors = dynamic(["50126", "50034", "50053"]);
AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(1h)
| extend ErrorCode = tostring(ResultType)
| where ErrorCode in (SprayErrors)
| summarize
TargetCount = dcount(UserPrincipalName),
Targets = make_set(UserPrincipalName, 30),
FailCount = count(),
ErrorCodes = make_set(ErrorCode),
UserAgents = make_set(UserAgent),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by IPAddress, Location
| where TargetCount > 10
| order by TargetCount desc
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPAddress
customDetails:
TargetedAccounts: TargetCount
FailedAttempts: FailCount
Country: Location
ErrorCodes: ErrorCodes
alertDetailsOverride:
alertDisplayNameFormat: "Password Spray from {{IPAddress}} targeting {{TargetCount}} accounts"
alertDescriptionFormat: "IP {{IPAddress}} targeted {{TargetCount}} accounts with {{FailCount}} non-interactive sign-in failures. Matches a horizontal password spray pattern."
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: PT2H
matchingMethod: AnyAlert
groupByEntities:
- IP
groupByAlertDetails: []
groupByCustomDetails: []
Explanation
This query is designed to detect a specific type of cyber attack known as a "password spray attack" using non-interactive sign-ins. Here's a simple breakdown of what the query does:
-
Purpose: It identifies attempts where a single IP address tries to log into many different user accounts using common passwords. This is done to avoid triggering account lockouts, which usually happen after multiple failed attempts on a single account.
-
Data Source: The query uses logs from Azure Active Directory, specifically focusing on non-interactive sign-ins, which are attempts that don't involve user interaction, like skipping multi-factor authentication (MFA).
-
Detection Criteria:
- It looks for specific error codes (50126, 50034, 50053) that indicate failed login attempts.
- It checks for these errors within the last hour.
- It counts how many different user accounts were targeted from the same IP address.
- It flags cases where more than 10 accounts were targeted from a single IP.
-
Output: The query summarizes the findings by listing:
- The number of targeted accounts.
- The specific accounts targeted.
- The number of failed attempts.
- The error codes encountered.
- The user agents used.
- The time range of the attempts.
-
Alerting: If the criteria are met, it generates an alert with details like the IP address, the number of accounts targeted, and the number of failed attempts. This helps security teams quickly identify and respond to potential threats.
-
Incident Management: The query is set up to create an incident if an attack is detected, with options to group related alerts by IP address for better incident management.
Overall, this query helps in identifying stealthy password spray attacks that could compromise multiple accounts without triggering standard security measures like account lockouts.
Details
David Alonso
Released: May 29, 2026
Tables
Keywords
Operators