Microsoft 365 Defender - password spray attacks
MD365 Password Spray Attacks
Query
IdentityLogonEvents
| where Timestamp > ago(7d)
| where ActionType == "LogonFailed"
| where isnotempty(RiskLevelDuringSignIn)
| where AccountObjectId == <Impacted User Account Object ID>
| summarize TargetCount = dcount(AccountObjectId), TargetCountry = dcount(Location), TargetIPAddress = dcount(IPAddress) by ISP
| where TargetCount >= 100
| where TargetCountry >= 5
| where TargetIPAddress >= 25About this query
Explanation
The query is used to gather information about password spray attacks in Microsoft 365 Defender. It includes several queries to identify password spray activity, other activities from the alerted ISP, sign-in patterns for the impacted user, MFA fatigue attacks, MFA reset activities, and new email inbox rules created by the impacted user. These queries help determine whether the activity is suspicious and gather more information related to the password spray attack alerts.
Details

Alex Verboon
Released: June 4, 2023
Tables
IdentityLogonEvents
CloudAppEvents
AADSignInEventsBeta
AlertInfo
Keywords
Microsoft 365 DefenderIdentityLogonEventsCloudAppEventsAADSignInEventsBetaAlertInfo
Operators
|>==whereago()isnotempty()summarizebydcount()>=<bin()count()!=inarg_max()pack_array()containsprojecthas_all()mv-expandextendtostring()