How to Detect and Block Password Spray Attacks in Microsoft 365 Using Sentinel or Audit Logs

This guide shows you how to detect and block password spray attacks in Microsoft 365. It covers strategies for monitoring logs for signs of attack, including using Microsoft Sentinel and the KQL language, Unified Audit logs, PowerShell to detect legacy auth usage, and scanning logs using commands that can be run from the command prompt or using security automation tools.

How do you detect a password spraying attack?

Password spray attacks are brute-force attacks where hackers attempt to access multiple accounts using common or leaked passwords. While modern authentication methods (like MFA) help block this, attackers will often exploit legacy authentication methods (like basic email and username credentials used to access email via POP3) or login portals to try to bypass them in environments that are yet to fully transition to more secure authentication methods.

These password spray attacks can be detected by monitoring logs for repeated failed login attempts and suspicious activity on legacy authentication endpoints. Automation is key when detecting and mitigating password spray attacks, as any unauthorized access must be blocked immediately, and the affected users’ credentials updated.

The key goals of automating the protection of Microsoft 365 from password spray attacks should include:

• Detecting failed login patterns across multiple accounts
• Correlating login attempts from unusual IPs or geolocations
• Blocking legacy authentication
• Automating lockouts or alert generation upon detection
• Hardening systems using policy, script, and registry changes

Before you can implement the automated prevention of password spraying, you’ll need:

• A Microsoft 365 tenant with auditing enabled
• Azure Sentinel or Microsoft 365 Defender Plan 2 (for advanced hunting)
• Unified audit log enabled in Microsoft Purview
• Admin access for Microsoft Graph, PowerShell, and GPO configuration

Endpoint protection and automation can be enhanced by integrating your Microsoft 365 deployments with remote monitoring and management (RMM), allowing for centralized monitoring and alerting with the ability to automate remediation actions across your infrastructure.

Using Microsoft Sentinel and KQL to detect password spray patterns

The Kusto Query Language (KQL) can be used to query Microsoft Sentinel to detect behavior that may identify password spray attacks. Below is an example KQL query that searches for multiple failed logins with the same password:

SigninLogs

| where ResultType == 50053

| summarize Attempts=count() by UserPrincipalName, IPAddress

| where Attempts > 5

KQL Example 2 – Monitor login failures from same IP targeting multiple users:

SigninLogs

| where ResultType == 50053 or ResultType == 50126

| summarize CountByIP = count(), AccountsTargeted = dcount(UserPrincipalName) by IPAddress

| where AccountsTargeted > 10 and CountByIP > 30

KQL Example 3 – Filter out known safe locations:

| where Location != “YourSafeLocation”

This query can be used to set up Sentinel Analytics Rules that trigger alerts when thresholds are exceeded.

Using Microsoft 365 unified audit logs in Purview for lightweight detection

Enable the unified audit log in Microsoft Purview, using the following command in Exchange Online PowerShell:

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

Then, you can search failed login attempts using the command:

Search-UnifiedAuditLog -StartDate (Get-Date).AddHours(-1) -EndDate (Get-Date) -Operations UserLoggedIn |

Where-Object { $_.AuditData.ResultStatus -eq “Failed” }

Analysis tools can then be used to correlate these entries with IP addresses and frequency to infer attack attempts, and then block these sources. You can export audit log data in the .csv format for this purpose:

Export-Csv -Path “C:\Logs\M365_LoginFailures.csv” -NoTypeInformation

Using PowerShell to identify legacy auth usage (common in password spray attempts)

Password spray attacks commonly target legacy protocols like POP, IMAP, and SMTP. While these protocols have been deprecated in Microsoft 365, some organizations still have them enabled or maintain connected infrastructure that uses outdated and insecure authentication technologies. You can detect legacy email authentication by running the following command in Exchange Online PowerShell:

Get-SignInLogs | Where-Object { $_.ClientAppUsed -in @(“IMAP”, “POP”, “SMTP”, “MAPI”, “Exchange ActiveSync”) } |

Select-Object UserPrincipalName, ClientAppUsed, IPAddress

Then, to disable these methods for a specific user:

Set-CASMailbox [email protected] -ImapEnabled $false -PopEnabled $false -MAPIEnabled $false -SmtpClientAuthenticationDisabled $true

Using GPO to block legacy protocols and enforce lockout

In addition to protecting against password spraying in Microsoft 365, You can protect endpoint devices from repeated login attempts using Group Policy in a Windows Domain environment. To use Group Policy to support enforcement at the OS level in hybrid environments:

• Open the Group Policy management console
• Navigate to Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy
• Set the Account lockout threshold to 5 invalid attempts
• Set the Account lockout duration to 15 minutes

wevtutil can be used to search security logs for failed login attempts, optionally automated using script deployment or RMM solutions:

wevtutil qe Security “/q:*[System[(EventID=4625)]]” /c:20 /f:text

You can also enforce modern authentication and disable basic authentication as a fallback in Outlook via Group Policy by deploying the following registry value “AlwaysUseMSOAuthForAutoDiscover”=dword:00000001 to the registry key located at HKEY_CURRENT_USER\Software\Microsoft\Exchange.

Troubleshooting and additional detection tips and tools

To ensure that your Microsoft 365 password spraying mitigations are working effectively, you should make sure that:

• Unified Audit Log ingestion is enabled
• Trusted IPs or regions are whitelisted in Sentinel queries to reduce false positives, while logins from distant countries where you would never expect a login attempt from are blocked outright
• Conditional access is used to block legacy authentication and apps, rather than relying on users to transition themselves
• Expand KQL query time frames threshold variables are adjusted to catch suspicious behavior
• User accounts are automatically blocked when sign-in risk is high

Preventing successful password spray attacks can be accomplished by implementing MFA across your IT infrastructure, for all users. Third-party access should also be regularly audited so that unused service accounts can be removed, or their permissions can be revised. End users should also be regularly trained in cybersecurity and data handling best practices (such as identifying suspicious login prompts and phishing attempts) to ensure your organization is protected and compliant.

How RMM can help protect your entire infrastructure from password spraying and other attacks

Remote monitoring and management (RMM) by NinjaOne enables technicians to remotely monitor and manage endpoints while also alerting technicians to potential cybersecurity incidents. Additionally, it can be used to deploy scripts to uninstall legacy software that may try to authenticate with Microsoft 365 using insecure methods, and monitor for brute force attempts.

NinjaOne RMM can also be used to enforce secure default configurations across all devices, and run remediation scripts to disable users and isolate endpoints when anomalies are detected. It provides complete visibility over all endpoints running the most widely used OSs, in any location.