Skip to main content

Password Spraying M365

This attack is not complex as it only consists in "guessing" a user's password but there are still some precautions we want to take:

  1. Slow spraying to avoid account lockouts
  2. Rotating IPs via proxies and / or VPNs to avoid IP blacklisting and to bypass location-based conditional access policies

The goal is to spray passwords in the "smartest" way possible so the used wordlist should be made of passwords gathered from OSINT or data leaks.

By default M365 blocks attackers every 10 failed login attempts per minute

To spray credentials on M365 we will use MSOLSpray as it allows to spray even if MFA is enabled; mind that this tool doesn't support settings for account lockout thresholds.

Invoke-MSOLSpray -Userlist .\usersnames.list -Password "securepassword"