Query Details

Password Spray Attack via Non-Interactive Sign-Ins

16 Password Spray Non Interactive

Query

let SprayErrors = dynamic(["50126", "50034", "50053"]);
AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(1h)
| extend ErrorCode = tostring(ResultType)
| where ErrorCode in (SprayErrors)
| summarize
    TargetCount = dcount(UserPrincipalName),
    Targets     = make_set(UserPrincipalName, 30),
    FailCount   = count(),
    ErrorCodes  = make_set(ErrorCode),
    UserAgents  = make_set(UserAgent),
    FirstSeen   = min(TimeGenerated),
    LastSeen    = max(TimeGenerated)
  by IPAddress, Location
| where TargetCount > 25
| order by TargetCount desc

Explanation

This query is designed to detect password spray attacks, which are attempts to gain unauthorized access to multiple user accounts by trying common passwords. Here's a simple breakdown of what the query does:

  1. Purpose: It identifies password spray attacks using non-interactive sign-ins. These attacks involve trying to log in to many accounts from a single IP address using common passwords, avoiding account lockouts by spreading attempts across multiple accounts.

  2. Data Source: The query uses data from Azure Active Directory's non-interactive user sign-in logs.

  3. Detection Logic:

    • It looks for specific error codes (50126, 50034, 50053) that indicate failed login attempts.
    • It checks for these errors within the last hour.
    • It counts how many different user accounts were targeted from the same IP address and lists the accounts, error codes, and user agents involved.
    • It flags any IP address that has attempted to access more than 25 different accounts.
  4. Alerting:

    • If such activity is detected, an alert is generated with details like the IP address, number of targeted accounts, and number of failed attempts.
    • The alert is labeled as a "Password Spray" attack and includes information about the location and error codes.
  5. Severity and Response:

    • The severity of the alert is marked as high.
    • An incident is created for each alert, and similar alerts are grouped by IP address to manage them efficiently.
  6. Additional Details:

    • The alert includes custom details such as the number of targeted accounts, failed attempts, and the country of origin.
    • The alert's display name and description are dynamically generated based on the IP address and the number of accounts targeted.

Overall, this query helps security teams identify and respond to stealthy password spray attacks that bypass multi-factor authentication by using non-interactive sign-ins.

Details

David Alonso profile picture

David Alonso

Released: July 16, 2026

Tables

AADNonInteractiveUserSignInLogs

Keywords

PasswordSprayAttackNonInteractiveSignInsSourceIPAuthenticationUserAccountsGuessesLockoutThresholdsMFAPromptsMITREATTCKSprayingAzureActiveDirectoryAADInLogsTimeGeneratedErrorCodeResultTypePrincipalNameAddressLocationAgent

Operators

letdynamicwhereagoextendtostringinsummarizedcountmake_setcountminmaxbyorder bydesc

Severity

High

Tactics

CredentialAccessInitialAccess

MITRE Techniques

Frequency: 1h

Period: 1h

Actions

GitHub