Password Spray Attack via Non-Interactive Sign-Ins
16 Password Spray Non Interactive
Query
let SprayErrors = dynamic(["50126", "50034", "50053"]);
AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(1h)
| extend ErrorCode = tostring(ResultType)
| where ErrorCode in (SprayErrors)
| summarize
TargetCount = dcount(UserPrincipalName),
Targets = make_set(UserPrincipalName, 30),
FailCount = count(),
ErrorCodes = make_set(ErrorCode),
UserAgents = make_set(UserAgent),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by IPAddress, Location
| where TargetCount > 10
| order by TargetCount descExplanation
This query is designed to detect a specific type of cyber attack known as a "password spray attack" using non-interactive sign-ins. Here's a simple breakdown of what the query does:
-
Purpose: It identifies attempts where a single IP address tries to log into many different user accounts using common passwords. This is done to avoid triggering account lockouts, which usually happen after multiple failed attempts on a single account.
-
Data Source: The query uses logs from Azure Active Directory, specifically focusing on non-interactive sign-ins, which are attempts that don't involve user interaction, like skipping multi-factor authentication (MFA).
-
Detection Criteria:
- It looks for specific error codes (50126, 50034, 50053) that indicate failed login attempts.
- It checks for these errors within the last hour.
- It counts how many different user accounts were targeted from the same IP address.
- It flags cases where more than 10 accounts were targeted from a single IP.
-
Output: The query summarizes the findings by listing:
- The number of targeted accounts.
- The specific accounts targeted.
- The number of failed attempts.
- The error codes encountered.
- The user agents used.
- The time range of the attempts.
-
Alerting: If the criteria are met, it generates an alert with details like the IP address, the number of accounts targeted, and the number of failed attempts. This helps security teams quickly identify and respond to potential threats.
-
Incident Management: The query is set up to create an incident if an attack is detected, with options to group related alerts by IP address for better incident management.
Overall, this query helps in identifying stealthy password spray attacks that could compromise multiple accounts without triggering standard security measures like account lockouts.
Details

David Alonso
Released: May 29, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 1h