Query Details

Microsoft 365 Defender - password spray attacks

MD365 Password Spray Attacks

Query

IdentityLogonEvents
| where Timestamp > ago(7d)
| where ActionType == "LogonFailed"
| where isnotempty(RiskLevelDuringSignIn)
| where AccountObjectId == <Impacted User Account Object ID>
| summarize TargetCount = dcount(AccountObjectId), TargetCountry = dcount(Location), TargetIPAddress = dcount(IPAddress) by ISP
| where TargetCount >= 100
| where TargetCountry >= 5
| where TargetIPAddress >= 25

About this query

Explanation

The query is used to gather information about password spray attacks in Microsoft 365 Defender. It includes several queries to identify password spray activity, other activities from the alerted ISP, sign-in patterns for the impacted user, MFA fatigue attacks, MFA reset activities, and new email inbox rules created by the impacted user. These queries help determine whether the activity is suspicious and gather more information related to the password spray attack alerts.

Details

Alex Verboon profile picture

Alex Verboon

Released: June 4, 2023

Tables

IdentityLogonEvents CloudAppEvents AADSignInEventsBeta AlertInfo

Keywords

Microsoft 365 DefenderIdentityLogonEventsCloudAppEventsAADSignInEventsBetaAlertInfo

Operators

|>==whereago()isnotempty()summarizebydcount()>=<bin()count()!=inarg_max()pack_array()containsprojecthas_all()mv-expandextendtostring()

MITRE Techniques

Actions

GitHub