DET0487 Distributed Password Spraying via Authentication Failures Across Multiple Accounts

Item	Value
ID	DET0487
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1110.003 (Password Spraying)

Analytics

Windows

AN1336

A high volume of authentication failures using a single password (or small set) across many different user accounts within a defined time window

Log Sources

Data Component	Name	Channel
User Account Authentication (DC0002)	WinEventLog:Security	EventCode=4625, 4771, 4648

Mutable Elements

Field	Description
PasswordReuseThreshold	Number of distinct accounts a password is used against before alerting
TimeWindow	Window over which the correlation is measured (e.g., 10 mins)
TargetGroupFilter	Limit detection to sensitive or monitored user groups (e.g., Admins)

Linux

AN1337

Authentication failures across different accounts using a repeated or similar password via SSH or PAM stack within a short window

Log Sources

Data Component	Name	Channel
User Account Authentication (DC0002)	linux:syslog	Failed password for invalid user

Mutable Elements

Field	Description
PasswordReusePattern	Repetition or minor variation of the same password across user attempts
IPAggregationWindow	Length of time to observe distributed spray attempts from single source

macOS

AN1338

Multiple failed login attempts across different users using common password patterns (e.g., ‘Welcome2023’)

Log Sources

Data Component	Name	Channel
User Account Authentication (DC0002)	macos:unifiedlog	Login Window and Authd errors

Mutable Elements

Field	Description
RetryCountThreshold	Total number of attempts before alerting
CommonPasswordList	List of passwords considered suspicious due to widespread use

Identity Provider

AN1339

Sign-in failures across enterprise SSO applications or SaaS platforms from same IP address using the same password against multiple user identities

Log Sources

Data Component	Name	Channel
User Account Authentication (DC0002)	azure:signinlogs	Failure Reason + UserPrincipalName

Mutable Elements

Field	Description
GeoIPAnomalyCheck	Use geolocation mismatches to strengthen signal
FailedUserRatio	Proportion of total user base affected to filter noise

Network Devices

AN1340

Authentication failure logs on routers/switches showing repeated use of default or common passwords across multiple accounts

Log Sources

Data Component	Name	Channel
User Account Authentication (DC0002)	networkdevice:syslog	AAA or TACACS authentication failures

Mutable Elements

Field	Description
AuthFailureBurst	Cluster of failed attempts in short period indicating spray
InterfaceFilter	Limit detection to console/SSH vs web UI interfaces

Containers

AN1341

Repeated failed authentication attempts to container APIs, control planes, or login shells across many user names using same password

Log Sources

Data Component	Name	Channel
User Account Authentication (DC0002)	kubernetes:audit	Failed login

Mutable Elements

Field	Description
OrchestrationScope	Detect spray attempts scoped to single pod vs full cluster
ServiceAccountFilter	Limit detection to non-service accounts to reduce noise

Office Suite

AN1342

Failed authentication attempts across user mailboxes using identical or common passwords (e.g., OWA brute attempts)

Log Sources

Data Component	Name	Channel
User Account Authentication (DC0002)	m365:exchange	FailedLogin

Mutable Elements

Field	Description
MailboxAccessAttempts	Threshold on mailbox login failures by same IP
EmailPatternAnalysis	Match target usernames to common spray dictionaries

SaaS

AN1343

SaaS applications receiving authentication failures for dozens of accounts using same password or login signature

Log Sources

Data Component	Name	Channel
User Account Authentication (DC0002)	saas:auth	signin_failed

Mutable Elements

Field	Description
CloudAppScope	Restrict detection to identity providers or select high-risk SaaS platforms
UserPopulationSensitivity	Adjust based on size and role of account pool