Password spraying evades common lockout controls because each account receives only a few guesses, which keeps the attacker below per-account thresholds. The attack works by spreading attempts across many identities and stretching them over time, so the signal looks like normal background authentication noise unless defenders correlate activity across the directory.
Why Password Spraying Slips Past Lockout Controls
password spraying succeeds because it is designed to stay below the thresholds that lockout policies watch for. Instead of hammering one account until it fails, the attacker makes a few attempts per identity across a large set of usernames, then waits. That pattern keeps per-account failure counts low while still testing a weak or reused password at scale. Security teams often see the outcome before they see a clear authentication alarm.
This matters because the control is not broken so much as mismatched to the threat model. Lockout logic is effective against noisy brute force, but password spraying is closer to low-and-slow reconnaissance. As Ultimate Guide to NHIs — Key Challenges and Risks notes, visibility gaps around identity activity are common, and that same blind spot applies when attackers distribute attempts across many accounts. For practitioners, the real issue is correlation across the directory, not a single failed login stream. Guidance from CISA cyber threat advisories consistently emphasizes detection tuning for abnormal authentication patterns rather than relying on one control. In practice, many security teams encounter spraying only after successful access has already been obtained, rather than through intentional lockout triggers.
How Defenders Should Detect and Contain the Pattern
Effective defense starts with shifting from per-account lockout to tenant-wide and directory-wide correlation. That means watching for many usernames receiving one or two failures from the same source, the same ASN, the same user agent, or the same time window. The signal often becomes obvious only when analysts join authentication telemetry with VPN, SSO, and endpoint context. Research in The 52 NHI breaches Report shows how identity compromise frequently becomes a platform for wider access, which is why sprayed credentials should be treated as an early compromise indicator, not a nuisance event.
Practical controls include:
- Correlation rules that flag distributed failures across many identities within a short period.
- Risk-based step-up authentication when a pattern looks like spraying, especially from new geographies or unfamiliar devices.
- Strong MFA for all privileged and remote access, with conditional access tied to device trust and location.
- Detection of legacy protocols, because password spraying often targets accounts that still accept weaker authentication paths.
- Honey accounts or canary identities to reveal broad password-testing activity without exposing production users.
For implementation detail, the MITRE ATLAS adversarial AI threat matrix is not a password-spraying guide, but it is useful for thinking about adaptive adversary behaviour and telemetry fusion, while 52 NHI Breaches Analysis reinforces how quickly identity abuse can widen once access is achieved. These controls tend to break down in hybrid environments with fragmented identity logs because the attack pattern is dispersed across multiple directories and cloud tenants.
Common Exceptions, Limits, and Tuning Tradeoffs
Tighter lockout and throttling often increases user friction, so organisations have to balance abuse resistance against help-desk load and account recovery overhead. There is no universal standard for tuning these thresholds yet; current guidance suggests using layered detection rather than aggressive universal lockouts that can be turned into denial-of-service against users.
Spraying is also easier to miss in environments with weak identity hygiene. If password reuse is common, even a well-tuned control will only slow the attacker, not stop them. That is why broader NHI governance matters: Ultimate Guide to NHIs — Why NHI Security Matters Now highlights the scale of identity exposure, and many of the same governance failures apply when service accounts, shared mailboxes, or stale accounts are still reachable through weak authentication paths.
Two edge cases deserve attention. First, attackers often slow the spray to avoid rate limits, so alerting windows must span hours or days, not minutes. Second, organisations with conditional access exceptions may inadvertently create bypass paths for legacy apps or service desks. This is where Anthropic — first AI-orchestrated cyber espionage campaign report is relevant at a pattern level: adversaries increasingly automate decision-making, so defenders need detection that is equally correlation-driven and context-aware. Best practice is evolving toward risk scoring, MFA enforcement, and rapid credential reset workflows rather than relying on lockout alone.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Credential rotation and abuse detection are central to stopping sprayed logins. |
| NIST CSF 2.0 | PR.AC-7 | Authentication outcomes need monitoring beyond simple account lockout thresholds. |
| NIST Zero Trust (SP 800-207) | AC-4 | Spraying bypasses perimeter thinking, so access must be continuously evaluated. |
Enforce conditional, context-aware access and deny risky sign-ins in real time.
Related resources from NHI Mgmt Group
- What is the difference between password spraying and brute-force attacks?
- How should security teams reduce the risk of password guessing attacks in Active Directory?
- Why do service accounts increase the impact of password guessing attacks?
- How should security teams detect password spraying in Active Directory?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on May 27, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
