Password Spray Attack via Non-Interactive Sign-Ins
16 Password Spray Non Interactive
Query
let SprayErrors = dynamic(["50126", "50034", "50053"]);
AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(1h)
| extend ErrorCode = tostring(ResultType)
| where ErrorCode in (SprayErrors)
| summarize
TargetCount = dcount(UserPrincipalName),
Targets = make_set(UserPrincipalName, 30),
FailCount = count(),
ErrorCodes = make_set(ErrorCode),
UserAgents = make_set(UserAgent),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by IPAddress, Location
| where TargetCount > 25
| order by TargetCount descExplanation
This query is designed to detect password spray attacks, which are attempts to gain unauthorized access to multiple user accounts by trying common passwords. Here's a simple breakdown of what the query does:
-
Purpose: It identifies password spray attacks using non-interactive sign-ins. These attacks involve trying to log in to many accounts from a single IP address using common passwords, avoiding account lockouts by spreading attempts across multiple accounts.
-
Data Source: The query uses data from Azure Active Directory's non-interactive user sign-in logs.
-
Detection Logic:
- It looks for specific error codes (
50126,50034,50053) that indicate failed login attempts. - It checks for these errors within the last hour.
- It counts how many different user accounts were targeted from the same IP address and lists the accounts, error codes, and user agents involved.
- It flags any IP address that has attempted to access more than 25 different accounts.
- It looks for specific error codes (
-
Alerting:
- If such activity is detected, an alert is generated with details like the IP address, number of targeted accounts, and number of failed attempts.
- The alert is labeled as a "Password Spray" attack and includes information about the location and error codes.
-
Severity and Response:
- The severity of the alert is marked as high.
- An incident is created for each alert, and similar alerts are grouped by IP address to manage them efficiently.
-
Additional Details:
- The alert includes custom details such as the number of targeted accounts, failed attempts, and the country of origin.
- The alert's display name and description are dynamically generated based on the IP address and the number of accounts targeted.
Overall, this query helps security teams identify and respond to stealthy password spray attacks that bypass multi-factor authentication by using non-interactive sign-ins.
Details

David Alonso
Released: July 16, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 1h