Running your first Simulated Office 365 Attack: Password Spray Attack

In the last couple of posts, we looked at executing two simulated attacks using the “Attack Simulator” tool within Office 365. First, we used “Spear Fishing”, then a “Brute Force Password” attach. Each option serves different purposes, one to help train the users, the second for IT/Security to gauge the current state of passwords and their complexity.

Spear Fishing
https://www.helloitsliam.com/2018/05/14/running-your-first-simulated-office-365-attack-spear-phishing/

Brute Force Password
https://www.helloitsliam.com/2018/07/01/running-your-first-simulated-office-365-attack-brute-force-password-dictionary-attack/

For this post we will look at running a “Password Spray Attack” as the simulated attack. A “Password Spray” attack is slightly different in that, instead of using a provided password list, it will attempt to try commonly used passwords against a list of user accounts. Once again to start this, access the “Security and Compliance” center with your Office 365 Tenant, then expand “Threat Management” and choose “Attack simulator”.

From the options, press the “Launch Attack” button to begin the wizard for the chosen attack, in this case for the “Password Spray” attack.

Name the new campaign as “Password Spray Attack” and then press “Next”.

Select the target users, by choosing specific user accounts or groups.

Once you have selected the users or groups, press “Next” then set the password properties as needed. This attack requires a single password only, then press “Next”.

Once completed press the “Finish” button and the attack is initiated.

This attack does not send an email to the end user, it simply tries to access the account, using the list of passwords that is supplied. Once the attack is complete, the status is updated, and a “View Report” link is then available. You can click the “View Report” or the “Attack Details” link to see the results from the attack.

Clicking the “Attack Details” link will display a quick overview and then a link to see further details.

Clicking on the result will then display the specific details. This is the same result you see when you click the link “View Report”.

This attack is really for Security and IT to get the current state of passwords across the organization, allowing either training or new policies to be defined.

Liam Cleary

I began my career as a Trainer of all things computer related. However, I very quickly realized that programming, breaking, and hacking was a lot more fun. I then spent the next few years working on core infrastructure and security services, until I found SharePoint. I am now the founder and owner of SharePlicity, a consulting company that focuses on all areas of Technology. My role within SharePlicity is to help organizations implement technology that will enhance internal and external collaboration, document and records management, automate business processes and of course security controls and protection. I am also an eleven-time Microsoft MVP focusing on Architecture but also cross the boundary into Development. My specialty over the past few years has been security in SharePoint and its surrounding platforms. I can also be found at user groups or conferences speaking, offering advice, spending time in the community, teaching my kids how to code, raspberry PI programming, hacking the planet or building Lego robots.

You may also like...