Potential Password Spraying of Microsoft 365 User Accounts

Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30 minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to obtain unauthorized access to user accounts.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/12/01"
 3integration = ["o365"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2024/01/05"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30
13minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to
14obtain unauthorized access to user accounts.
15"""
16false_positives = [
17    """
18    Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false
19    positives.
20    """,
21]
22from = "now-30m"
23index = ["filebeat-*", "logs-o365*"]
24language = "kuery"
25license = "Elastic License v2"
26name = "Potential Password Spraying of Microsoft 365 User Accounts"
27note = """## Setup
28
29The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
30risk_score = 73
31rule_id = "3efee4f0-182a-40a8-a835-102c68a4175d"
32severity = "high"
33tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access"]
34type = "threshold"
35timestamp_override = "event.ingested"
36
37query = '''
38event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and
39event.action:("UserLoginFailed" or "PasswordLogonInitialAuthUsingPassword")
40'''
41
42
43[[rule.threat]]
44framework = "MITRE ATT&CK"
45[[rule.threat.technique]]
46id = "T1110"
47name = "Brute Force"
48reference = "https://attack.mitre.org/techniques/T1110/"
49
50
51[rule.threat.tactic]
52id = "TA0006"
53name = "Credential Access"
54reference = "https://attack.mitre.org/tactics/TA0006/"
55
56[rule.threshold]
57field = ["source.ip"]
58value = 25

Setup

The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

Related rules

to-top