Potential Password Spraying of Microsoft 365 User Accounts
Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30 minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to obtain unauthorized access to user accounts.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/12/01"
3integration = ["o365"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30
11minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to
12obtain unauthorized access to user accounts.
13"""
14false_positives = [
15 """
16 Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false
17 positives.
18 """,
19]
20from = "now-30m"
21index = ["filebeat-*", "logs-o365*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "Potential Password Spraying of Microsoft 365 User Accounts"
25note = """## Setup
26
27The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
28risk_score = 73
29rule_id = "3efee4f0-182a-40a8-a835-102c68a4175d"
30severity = "high"
31tags = [
32 "Domain: Cloud",
33 "Data Source: Microsoft 365",
34 "Use Case: Identity and Access Audit",
35 "Tactic: Credential Access",
36]
37timestamp_override = "event.ingested"
38type = "threshold"
39
40query = '''
41event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and
42event.action:("UserLoginFailed" or "PasswordLogonInitialAuthUsingPassword")
43'''
44
45
46[[rule.threat]]
47framework = "MITRE ATT&CK"
48[[rule.threat.technique]]
49id = "T1110"
50name = "Brute Force"
51reference = "https://attack.mitre.org/techniques/T1110/"
52
53
54[rule.threat.tactic]
55id = "TA0006"
56name = "Credential Access"
57reference = "https://attack.mitre.org/tactics/TA0006/"
58
59[rule.threshold]
60field = ["source.ip"]
61value = 25
Setup
The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
Related rules
- O365 Excessive Single Sign-On Logon Errors
- AWS EC2 Admin Credential Fetch via Assumed Role
- AWS IAM Brute Force of Assume Role Policy
- AWS IAM User Addition to Group
- AWS Management Console Brute Force of Root User Identity