Password spraying in Active Directory and Entra ID: why controls fail

At a glance

What this is: This is an explainer on password spraying and its defensive and detection implications for hybrid identity environments.

Why it matters: It matters to IAM and NHI practitioners because exposed authentication paths and weak credential hygiene still let low-noise attacks reach identity systems before detection.

👉 Read Semperis's analysis of password spraying in Active Directory and Entra ID

Context

Password spraying is a low-noise credential attack that tests common passwords across many accounts instead of hammering one account until it locks. In hybrid identity environments, that tactic becomes an IAM problem as soon as VPNs, Citrix gateways, Entra ID tenants, or internal Active Directory accounts can be reached from the internet.

The operational weakness is not the name of the attack but the way identity controls are often staged around human users while shared services, test tenants, and legacy access paths remain easier to probe. For NHI governance, the lesson is broader than password policy: unmanaged access paths and long-lived credentials create the conditions attackers need.

Key questions

Q: How should security teams defend against password spraying in hybrid identity environments?

A: Start with MFA on every internet-facing authentication path, then remove weak password acceptance wherever possible. Reduce exposed login surfaces by retiring unused tenants and legacy access points. Finally, centralise identity logs so repeated low-frequency failures across many accounts can be correlated before an attacker finds a valid login.

Q: Why is password spraying so effective against Active Directory and Entra ID?

A: It works because attackers spread attempts across many accounts, which avoids lockout thresholds and looks less suspicious than brute force. The attack becomes more effective when identity systems expose multiple login surfaces, weak passwords remain accepted, or MFA is not uniformly enforced.

Q: What is the difference between password spraying and brute-force attacks?

A: Brute force concentrates repeated guesses on one account until it fails or locks. Password spraying uses a small set of common passwords across many accounts to stay under lockout thresholds and reduce alerting, which makes it better suited to large identity populations.

Q: When should organisations treat login failures as a password spraying event?

A: Treat them as spraying when many accounts fail with the same password pattern, especially from shared source ranges, proxy networks, or geographically unusual access. Low-frequency attempts across multiple identities are often more dangerous than a burst against one account because they are designed to evade detection.

Technical breakdown

How password spraying avoids account lockout controls

Password spraying works by distributing a small number of login attempts across many accounts, usually with common or previously exposed passwords. That lowers the chance of hitting lockout thresholds that would trigger obvious alarms. In Active Directory and Entra ID environments, the technique succeeds when authentication telemetry is fragmented, MFA coverage is incomplete, or legacy endpoints still accept password-based logins. The attacker is not trying to guess one user quickly. They are trying to look like ordinary failed logons across a broad set of identities until one succeeds.

Practical implication: Treat repeated low-frequency failures across many accounts as a distinct detection pattern, not as isolated user mistakes.

Why exposed identity entry points increase spray risk

Internet-facing systems such as VPNs, Citrix gateways, and remote desktop access paths often sit in front of the identity plane. If those systems authenticate against Active Directory or Entra ID, they become the first place attackers test password sprays. The risk rises further when non-production tenants, legacy test applications, or stale access paths still trust password-only authentication. In practice, the attack surface is the collection of reachable identity endpoints, not just the directory itself. That is why hybrid identity needs perimeter-aware control design as much as directory hardening.

Practical implication: Inventory every externally reachable authentication path and remove or harden any endpoint that can be used as a spray target.

How detection shifts from password failures to identity behaviour

Effective detection is less about a single failed login and more about patterns: many accounts failing from a shared source range, low-frequency attempts over time, and unusual geography or proxy use. Centralised logging into a SIEM helps, but attackers can still blend in by throttling activity or using residential proxies. That means defenders need behavioural correlation across VPN, directory, and cloud identity logs. In NHI terms, this is a visibility and correlation problem, because attack signals are scattered across multiple identity trust domains.

Practical implication: Correlate authentication telemetry across cloud and on-prem identity systems before the attacker can pivot from one weak point to another.

Threat narrative

Attacker objective: The attacker wants a low-noise foothold that bypasses lockout controls and opens a path to privileged access or persistent identity abuse.

1. Entry occurs when attackers test common passwords across many externally reachable identity endpoints, including VPNs, Citrix gateways, and Entra ID tenants.
2. Escalation happens after a successful guess or compromised low-friction account lets the attacker move into internal authentication paths or legacy test environments.
3. Impact follows when the attacker uses that foothold to reach sensitive systems, disable defenses, or establish long-term access through trusted identity integrations.

Breaches seen in the wild

• Cisco Active Directory credentials breach — Kraken ransomware group leaked Cisco Active Directory credentials.
• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Password spraying is not a password problem alone. It is an identity reachability problem. The attack succeeds when externally reachable authentication paths remain broad, weakly monitored, or inconsistently protected by MFA. That makes hybrid IAM architecture part of the control plane, not just the directory settings page. Practitioners should treat every reachable login surface as part of the identity attack surface.

Hybrid identity creates a wider blast radius than many teams model. When Active Directory, Entra ID, VPNs, and legacy test tenants share trust assumptions, a single successful spray can expose more than one environment. The discipline must shift from account-by-account hardening to end-to-end control of authentication entry points, trust paths, and service dependencies. Teams should re-evaluate every external login path as a potential initial access route.

Low-frequency attack traffic is a governance test, not merely a detection test. If logins fail quietly across many identities without triggering escalation, the organisation has a policy gap as much as an alerting gap. The right response is to set a higher governance bar for internet-facing authentication, especially where non-production or legacy access remains. Security teams should assume attackers will optimise for stealth, not volume.

Legacy and non-production identities are often the easiest spray targets. The article’s examples show how older tenants, test applications, and weaker MFA coverage become the path of least resistance. That pattern is typical, not exceptional, and it is why identity lifecycle discipline matters as much as perimeter tooling. Practitioners should retire unused tenants and remove stale trust relationships before attackers find them.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, which leaves stale access in place long after it should be removed.
• Review 52 NHI Breaches Analysis for case patterns that show how weak identity hygiene turns initial access into broader compromise.

What this signals

Spray-resistant identity design now has to include non-human identities as well as people. As authentication estates expand, the same low-noise tactics that work against human accounts can also expose service accounts, test tenants, and other unmanaged identities. The governance question is no longer whether one login is protected, but whether the whole identity surface can withstand repeated low-frequency probing.

The programme implication is practical: teams need better correlation between cloud, directory, and remote-access logs, plus tighter lifecycle control over stale accounts and tenants. With only 5.7% of organisations having full visibility into their service accounts, identity teams cannot assume they know where the weak points are until they instrument them.

Identity reachability is the new exposure metric. If an attacker can reach it, test it, and blend into ordinary authentication noise, then it belongs in the same risk register as public services and exposed secrets. Practitioners should prioritise removal of dormant paths, stronger MFA coverage, and better telemetry before they chase finer-grained alert tuning.

For practitioners

• Enforce MFA on every internet-facing login path Apply multifactor authentication to VPNs, Citrix gateways, Entra ID access, and any other reachable identity endpoint. Do not leave password-only fallback paths in place for convenience.
• Harden password policy and block weak credentials Use password protection controls to deny commonly used or compromised passwords across Active Directory and cloud identity systems. Pair this with user education only after technical blocks are in place.
• Retire unused tenants and internet-facing systems Decommission non-production tenants, stale test applications, and any public-facing systems no longer needed. Each one reduces the number of authentication surfaces attackers can spray.
• Centralise and correlate identity logs Feed authentication events from directories, VPNs, remote access systems, and cloud identity into a SIEM so low-and-slow spraying patterns can be detected across domains.

Key takeaways

• Password spraying remains effective because it exploits breadth, not volume, in identity systems.
• Hybrid environments increase risk when external login paths, legacy tenants, and weak MFA coverage stay reachable.
• Practitioners should focus on MFA, access-path reduction, and cross-domain log correlation to shrink the attack surface.

Key terms

• Password Spraying: Password spraying is a credential attack that tries a small number of common passwords across many accounts to avoid account lockouts. It succeeds when identity systems allow broad login reach, weak passwords remain valid, or detection focuses only on repeated failures against one user.
• Hybrid Identity: Hybrid identity is an environment where cloud and on-premises identity systems share authentication and trust relationships. In practice, it includes directories, remote access gateways, cloud tenants, and legacy systems that can all become part of the same attack surface if controls are uneven.
• Identity Attack Surface: Identity attack surface is the total set of accounts, tokens, login endpoints, trust paths, and supporting systems that can be probed for access. For password spraying, the risk grows with every externally reachable authentication path and every dormant or weakly protected identity.
• Non-Production Tenant: A non-production tenant is a test or development identity environment that is not intended for live business use. These tenants often retain weaker controls, stale credentials, or legacy integrations, which makes them attractive targets when attackers look for easier authentication paths.

Deepen your knowledge

Password spraying detection and identity hardening are covered in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a control baseline for hybrid identity, it is a practical place to start.

This post draws on content published by Semperis: Password Spraying Explained for Active Directory security. Read the original.