Running your first Simulated Office 365 Attack: Password Spray Attack

In the last couple of posts, we looked at executing two simulated attacks using the “Attack Simulator” tool within Office 365. First, we used “Spear Fishing”, then a “Brute Force Password” attach. Each option serves different purposes, one to help train the users, the second for IT/Security to gauge the current state of passwords and their complexity.

Spear Fishing
https://www.helloitsliam.com/2018/05/14/running-your-first-simulated-office-365-attack-spear-phishing/

Brute Force Password
https://www.helloitsliam.com/2018/07/01/running-your-first-simulated-office-365-attack-brute-force-password-dictionary-attack/

For this post we will look at running a “Password Spray Attack” as the simulated attack. A “Password Spray” attack is slightly different in that, instead of using a provided password list, it will attempt to try commonly used passwords against a list of user accounts. Once again to start this, access the “Security and Compliance” center with your Office 365 Tenant, then expand “Threat Management” and choose “Attack simulator”.

From the options, press the “Launch Attack” button to begin the wizard for the chosen attack, in this case for the “Password Spray” attack.

Name the new campaign as “Password Spray Attack” and then press “Next”.

Select the target users, by choosing specific user accounts or groups.

Once you have selected the users or groups, press “Next” then set the password properties as needed. This attack requires a single password only, then press “Next”.

Once completed press the “Finish” button and the attack is initiated.

This attack does not send an email to the end user, it simply tries to access the account, using the list of passwords that is supplied. Once the attack is complete, the status is updated, and a “View Report” link is then available. You can click the “View Report” or the “Attack Details” link to see the results from the attack.

Clicking the “Attack Details” link will display a quick overview and then a link to see further details.

Clicking on the result will then display the specific details. This is the same result you see when you click the link “View Report”.

This attack is really for Security and IT to get the current state of passwords across the organization, allowing either training or new policies to be defined.

Liam Cleary

Liam began his career as a Trainer of all things computer related. He quickly realized that programming, breaking, and hacking was a lot more fun. He spent the next few years working within core infrastructure and security services until he found SharePoint. He is the founder and owner of SharePlicity, a consulting company that focuses on all areas of Technology. His role within SharePlicity is to help organizations implement technology that will enhance internal and external collaboration, document and records management, automate business processes and of course security controls and protection. Liam also serves as the Product Owner for Security at Rencore, where he is helping to develop offerings that help organizations further understand and mitigate security and compliance risks, within SharePoint and Office 365 customizations. His core focus will is to identify, control and protect whether they are full-fledged customizations or out-of-the-box Office 365 functionality. He is also a twelve-time Microsoft MVP focusing on Architecture but also crosses the boundary into Development. His specialty over the past few years has been security in SharePoint and its surrounding platforms. He can often be found at user groups or conferences speaking, offering advice, spending time in the community, teaching his kids how to code, raspberry PI programming, hacking the planet or building Lego robots.

You may also like...