Credential stuffing and password spray are two of the most consistently successful attack techniques against Australian organisations. Neither requires sophisticated technical capability. Both are highly automated. And both are rendered largely ineffective by a single control: properly enforced MFA.
Credential Stuffing
When a third-party website suffers a data breach and credentials are stolen, those credentials are tested systematically against other services. If a user's email address and password from a retail breach match their Microsoft 365 account, the attacker has access. The scale of credential availability makes this a numbers game: enough pairs tested against enough services will produce results.
Password Spray
Rather than testing many passwords against one account (which triggers lockout), password spray tests one or a few common passwords against many accounts. "Spring2024!" or "Company@2024" tested against every account in an organisation will succeed against a meaningful percentage. The technique avoids account lockout while maintaining a reasonable success rate across a large account population.
Detection
Both techniques leave signals in authentication logs — multiple failed attempts from the same IP, authentication attempts at unusual times, logins from unfamiliar locations. Entra ID Protection analyses these signals and can trigger automated responses. Without monitoring, these signals go unnoticed until a successful compromise is discovered through its consequences.
The Definitive Mitigation
MFA makes both techniques effectively non-viable. A correct credential pair without the second factor cannot authenticate. For environments where MFA cannot be immediately enforced on all accounts, password policy (length, complexity, checking against known breach lists) and account lockout configuration provide partial mitigation. But MFA is the definitive answer.
