Password Spray Detection in Active Directory: How to Detect, Respond to, and Prevent Spray Attacks

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Password spray attacks succeed in real environments because standard lockout policies protect individual accounts but create no visibility when the attack is distributed. An environment with a 5-attempt lockout threshold and a 30-minute reset window is vulnerable to a spray that sends exactly 4 attempts per account from a single source, at scale, across all user accounts. The spray hits every account in the directory and the lockout counter never triggers. Detecting this requires correlation across accounts over time, not per-account monitoring.
Configure Audit Policy for Failed Logon Capture
Authentication failures must be logged before you can detect spray. Enable the correct audit policies on domain controllers: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Account Logon > Audit Credential Validation = Failure and Audit Kerberos Authentication Service = Failure. Both are needed: Event ID 4625 captures NTLM authentication failures; Event ID 4771 (Kerberos pre-auth failure, SubStatus 0x18 for bad password) captures Kerberos-based spray. These events are generated on domain controllers, not on member workstations. Confirm the audit policy is applied: auditpol /get /subcategory:'Credential Validation' and auditpol /get /subcategory:'Kerberos Authentication Service'. Ensure Events 4625 and 4771 are reaching your SIEM from all DCs -- spray detection requires data from every DC, not just one.
Detect Spray with Event Log Queries
The spray signature: many distinct target accounts failing authentication within a short window from the same source IP. Query in Defender XDR Advanced Hunting: DeviceLogonEvents | where ActionType == 'LogonFailed' and Timestamp > ago(1h) | summarize FailedAccounts = dcount(AccountName), Attempts = count() by RemoteIP | where FailedAccounts > 20. In KQL for Sentinel: SecurityEvent | where EventID == 4625 and TimeGenerated > ago(1h) | summarize UniqueTargets = dcount(TargetUserName), Attempts = count() by IpAddress | where UniqueTargets > 20 and Attempts > 30. Adjust the thresholds based on your baseline authentication volume. The ratio of UniqueTargets to Attempts is the spray indicator: a ratio close to 1 (one attempt per account) is classic spray; a high ratio of attempts to accounts is brute force. Kerberos spray query: SecurityEvent | where EventID == 4771 and Status == '0x18' and TimeGenerated > ago(1h) | summarize UniqueTargets = dcount(TargetUserName) by IpAddress | where UniqueTargets > 20.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Microsoft Defender for Identity: Built-In Spray Detection
Microsoft Defender for Identity (MDI) provides automated spray detection if you have a sensor deployed on all domain controllers. MDI alert: 'Password spray attack' in the MDI portal or Defender XDR incident queue -- triggers when MDI's baseline model detects anomalous failed authentication volume across accounts. MDI provides the spray source IP, the list of targeted accounts, and the timing of the spray. The advantage over raw event log queries: MDI applies baseline normalization -- it knows your normal authentication volume and compares against it, reducing false positives during high-traffic periods like Monday mornings after a long weekend. If you do not have MDI, raw event log queries as above are the alternative. For cloud-side spray against Entra ID: the Entra ID sign-in logs provide failed sign-in data with similar query patterns. Entra ID Smart Lockout provides built-in cloud-side spray mitigation.
Investigate After Detection: Confirm Compromise
When a spray is detected: first, determine if any accounts were successfully compromised. Query for accounts that had a failed logon from the spray source IP followed by a successful logon: SecurityEvent | where EventID in (4625, 4624) and IpAddress == 'spray_source_ip' and TimeGenerated between(starttime .. endtime) | order by Account, TimeGenerated | project TimeGenerated, EventID, Account, LogonType. Any account with a 4625 from the spray source followed by a 4624 is potentially compromised. Also check Defender for Identity for accounts flagged as 'Suspected Account Compromised' or 'Suspicious logon' in the same timeframe. For each potentially compromised account: check what they accessed after the successful logon (DeviceLogonEvents for the account, file access logs, Exchange or SharePoint access logs). Reset passwords for any confirmed or suspected compromised accounts, revoke Entra ID sessions, and check for mailbox forwarding rules added after the spray event.
Configure Lockout Policy to Limit Spray Effectiveness
Standard account lockout policies do not prevent spray (attackers stay under the threshold) but they do limit the number of attempts per account. Recommended settings: lockout threshold of 10 (not 5 -- false lockouts from fat-fingered passwords have a support cost and low thresholds train users to call the help desk). Lockout duration of 30 minutes. Observation window of 30 minutes. For service accounts and privileged accounts that are high-value spray targets, use a Fine-Grained Password Policy (FGPP) with stricter settings (threshold 3, duration 60 minutes) applied via a Password Settings Object (PSO) to the specific accounts or groups. Entra ID Smart Lockout: for hybrid environments where password spray can come against Entra ID (cloud-side), Smart Lockout is a built-in Entra ID feature that learns your normal sign-in patterns and applies IP-reputation-based lockouts that preserve legitimate user access while blocking spray sources. Smart Lockout threshold is configurable in the Authentication Methods > Password Protection policy in the Entra admin center.
The bottom line
Spray detection requires cross-account correlation over a time window -- something no single account's lockout counter captures. Enable Kerberos pre-auth failure auditing (Event 4771) alongside NTLM failure auditing (Event 4625), deploy the KQL queries to alert on high unique-target failure counts from a single source, and use Defender for Identity for automatic detection with lower false-positive rates. Respond quickly: if any account shows a failed attempt followed by a success from the spray source, treat it as compromised and reset immediately.
Frequently asked questions
How do I distinguish spray from a user repeatedly mistyping their password?
A fat-finger failure pattern shows multiple failures for the same account from the same IP over a short window. A spray pattern shows one or a few failures for many distinct accounts from the same IP over a short window. The UniqueTargets to Attempts ratio is the distinguishing metric: close to 1 means spray, significantly less than 1 means brute force or fat-finger. A single user forgetting their password generates 5 failures for 1 account; a spray generates 1 failure for 500 accounts.
What is the difference between password spray and credential stuffing?
Password spray tests a single known weak password (or a few) against many accounts in a target organization. Credential stuffing takes credentials leaked from other breaches (email and password pairs) and tests them against your environment, based on the likelihood that users reuse passwords. Both result in Event ID 4625, but credential stuffing typically comes with a higher variety of usernames (leaked emails that may or may not be in your directory) while spray typically uses valid usernames extracted from your organization's directory. Defender for Identity distinguishes between the two via its baseline model.
Will Entra ID Smart Lockout block spray against on-premises AD?
No. Smart Lockout operates on cloud-side Entra ID authentication. For on-premises Kerberos and NTLM authentication against domain controllers, Smart Lockout has no effect. Spray against on-premises AD requires the DC-level detection and lockout policies described in this guide. For hybrid environments using Password Hash Sync or Pass-Through Authentication, cloud-side spray is handled by Smart Lockout; on-premises spray requires DC-level controls. Both surfaces need independent coverage.
Should I lower my lockout threshold to 3 to catch spray faster?
A threshold of 3 creates high false-positive lockout rates: users mistype their password twice on a Monday morning and are locked out before they reach IT. The support burden is significant and trains users to call the help desk for lockouts, which attackers can exploit via social engineering. A threshold of 10 is the common operational recommendation. The detection approach above identifies spray before it reaches 10 attempts per account when looking at the cross-account signature.
How do I distinguish internal password spray from an external attacker?
Check the source IP and workstation name in Event ID 4625. Internal spray from a compromised endpoint shows authentication attempts originating from a domain-joined machine name and internal IP address. External spray typically comes from unusual IP addresses (non-RFC1918 addresses if VPN is not in use) or from the same IP authenticating against many different accounts in rapid succession (which internal clients do not do). Defender for Identity's Suspected Password Spray Attack alert enriches the source IP with threat intelligence and geolocation. For purely on-premises DC event logs, cross-reference the source IP against your asset inventory -- a source IP not assigned to any known internal machine is a strong indicator of external origin.
What Entra ID conditional access policies specifically reduce password spray risk?
Several conditional access policies address password spray directly: sign-in risk-based conditional access (requires Entra ID P2) blocks or requires MFA for sign-in attempts that Entra's risk engine classifies as suspicious based on behavioral signals like atypical login location, unfamiliar device, or impossible travel. This catches spray attempts from credentials that successfully authenticated. Block legacy authentication (all policies blocking Exchange Active Sync, POP, IMAP, Basic Auth clients) is critical -- legacy protocols cannot use MFA and are the primary target for spray since MFA cannot be enforced. Require Authenticator app or phishing-resistant MFA (FIDO2, certificate) so that even a successful spray does not yield access without the second factor. For high-value accounts: configure smart lockout settings in Entra ID (Password protection > Lockout threshold) to lock accounts after 10 failed attempts and customize the lockout duration to increase exponentially for repeated lockouts, which slows automated spray tools significantly.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
