Query Details

Password Spray Attack via Non-Interactive Sign-Ins

16 Password Spray Non Interactive

Query

let SprayErrors = dynamic(["50126", "50034", "50053"]);
AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(1h)
| extend ErrorCode = tostring(ResultType)
| where ErrorCode in (SprayErrors)
| summarize
    TargetCount = dcount(UserPrincipalName),
    Targets     = make_set(UserPrincipalName, 30),
    FailCount   = count(),
    ErrorCodes  = make_set(ErrorCode),
    UserAgents  = make_set(UserAgent),
    FirstSeen   = min(TimeGenerated),
    LastSeen    = max(TimeGenerated)
  by IPAddress, Location
| where TargetCount > 10
| order by TargetCount desc

Explanation

This query is designed to detect a specific type of cyber attack known as a "password spray attack" using non-interactive sign-ins. Here's a simple breakdown of what the query does:

  1. Purpose: It identifies attempts where a single IP address tries to log into many different user accounts using common passwords. This is done to avoid triggering account lockouts, which usually happen after multiple failed attempts on a single account.

  2. Data Source: The query uses logs from Azure Active Directory, specifically focusing on non-interactive sign-ins, which are attempts that don't involve user interaction, like skipping multi-factor authentication (MFA).

  3. Detection Criteria:

    • It looks for specific error codes (50126, 50034, 50053) that indicate failed login attempts.
    • It checks for these errors within the last hour.
    • It counts how many different user accounts were targeted from the same IP address.
    • It flags cases where more than 10 accounts were targeted from a single IP.
  4. Output: The query summarizes the findings by listing:

    • The number of targeted accounts.
    • The specific accounts targeted.
    • The number of failed attempts.
    • The error codes encountered.
    • The user agents used.
    • The time range of the attempts.
  5. Alerting: If the criteria are met, it generates an alert with details like the IP address, the number of accounts targeted, and the number of failed attempts. This helps security teams quickly identify and respond to potential threats.

  6. Incident Management: The query is set up to create an incident if an attack is detected, with options to group related alerts by IP address for better incident management.

Overall, this query helps in identifying stealthy password spray attacks that could compromise multiple accounts without triggering standard security measures like account lockouts.

Details

David Alonso profile picture

David Alonso

Released: May 29, 2026

Tables

AADNonInteractiveUserSignInLogs

Keywords

AzureActiveDirectoryAADNonInteractiveUserSignInLogsUserIPAddressLocationErrorCodeUserPrincipalNameUserAgentTimeGenerated

Operators

letdynamicwhereagoextendtostringinsummarizedcountmake_setcountminmaxbyorder bydesc

Severity

High

Tactics

CredentialAccessInitialAccess

MITRE Techniques

Frequency: 1h

Period: 1h

Actions

GitHub