Password Spray Controls for Microsoft 365

Password spray is not sophisticated. That is exactly why defenders should respect it.

Attackers try common passwords across many accounts, spread the attempts, and look for the easy win. They are not trying to outsmart your whole security stack. They are testing whether your basic identity hygiene is still weak enough to be profitable.

That figure is a useful corrective. A lot of organisations still spend more time talking about exotic compromise paths than fixing the old identity weaknesses that get hit every week.

Controls that matter

1. Require MFA across the tenant.
2. Block legacy authentication.
3. Protect admin accounts separately.
4. Disable stale accounts quickly.
5. Use Microsoft Entra password protection.
6. Review failed sign-in patterns and risky sign-ins.
7. Reduce shared and generic accounts.
8. Move high-risk users toward phishing-resistant methods where possible.

The second item deserves extra emphasis. Microsoft's Conditional Access guidance currently states that more than 99% of password spray attacks use legacy authentication protocols. If those protocols are still available, you are making old attacks much easier than they need to be.

Why the boring controls do the heavy lifting

Password spray thrives on three conditions:

• weak or overused passwords
• older authentication paths
• accounts that nobody is really watching

That is why the high-value work is usually boring work. Disable old protocols. Tighten password standards. Clean up dormant accounts. Make sure admins are protected separately from everyone else.

Microsoft Entra password protection is worth using properly. Microsoft documents both the global banned password list and the ability to add a custom banned list for organisation-specific terms. That matters because users still love choosing passwords based on the company name, office location, or internal project words.

Quick detection questions

Question	Where to look
Are failed sign-ins rising across many users?	Entra sign-in logs
Are attempts using old protocols?	Sign-in logs and Conditional Access
Are admins targeted?	Identity Protection and audit logs
Are stale accounts being hit?	User sign-in activity

You do not need perfect telemetry to spot the pattern. Wide low-volume failures across lots of users is often enough to justify a closer look.

Shared accounts are still a quiet liability

Shared and generic accounts remain a recurring problem here. They are awkward to protect, awkward to attribute, and often missed in cleanup work.

If a shared account must exist for a short period, it should be documented, limited, and reviewed. If it exists because "we have always done it that way", it is probably making password spray cheaper.

The most useful sequence for SMEs

For many smaller Microsoft 365 environments, the best return usually comes from this order:

1. enforce MFA
2. block legacy authentication
3. disable dormant accounts
4. protect admins separately
5. add password protection controls
6. review logs often enough to notice a pattern early

That is not glamorous, but it works.

What success looks like

The goal is not to eliminate every failed sign-in. The goal is to make password spray noisy, expensive, and low-yield.

If the attacker hits old protocols, they get blocked. If they hit weak passwords, password protection makes some of those guesses fail at reset time and better MFA limits the value of a hit. If they find stale accounts, those accounts should already be gone.

That is what practical identity hardening looks like. Less theatre, more friction for the attacker.

References

• Microsoft Digital Defense Report 2025
• Block legacy authentication with Conditional Access
• Password protection in Microsoft Entra ID
• Microsoft Entra ID Protection overview