Password Spraying M365
This attack is not complex as it only consists in "guessing" a user's password but there are still some precautions we want to take:
- Slow spraying to avoid account lockouts
- Rotating IPs via proxies and / or VPNs to avoid IP blacklisting and to bypass location-based conditional access policies
The goal is to spray passwords in the "smartest" way possible so the used wordlist should be made of passwords gathered from OSINT or data leaks.
By default M365 blocks attackers every 10 failed login attempts per minute
To spray credentials on M365 we will use MSOLSpray as it allows to spray even if MFA is enabled; mind that this tool doesn't support settings for account lockout thresholds.
Invoke-MSOLSpray -Userlist .\usersnames.list -Password "securepassword"