The AzureSpray lab simulates a sophisticated password spray attack against a mid-sized technology company called Compliant Secure that recently migrated to Microsoft 365. Password spray attacks represent a particularly insidious form of credential-based attack where adversaries attempt to authenticate using a small set of commonly used passwords across many user accounts. This technique is designed to evade traditional account lockout policies by distributing failed authentication attempts across multiple accounts, staying below the threshold that would trigger security alerts or account lockouts.
Participants are provided with Azure AD sign-in logs and access to Microsoft Sentinel to investigate suspicious authentication patterns that occurred on June 29, 2025. The lab guides analysts through the complete lifecycle of a password spray attack, from initial reconnaissance to successful account compromise. Using tools such as KQL (Kusto Query Language), and Microsoft Sentinel Analytics Rules, learners will identify attack patterns, understand the attacker's methodology, and implement detection mechanisms to prevent future incidents.
The attack leverages distributed IP addresses, potentially through proxy services or botnets, to further obfuscate the malicious activity. A critical aspect of this investigation involves understanding Azure AD's Smart Lockout feature and how attackers attempt to circumvent it. The lab also explores post-compromise activities, revealing how the attacker accessed sensitive Microsoft 365 services after successfully breaching an account.
This password spray technique aligns with MITRE ATT&CK technique T1110.003, categorized under Credential Access: Brute Force: Password Spraying. Through this lab,