Back Arrow Back to All Integrations

Office 365 Password Spraying

Office 365 Password Spraying

Microsoft Office 365 Password Spraying SIEM Detection Test


Organizations should ensure their SIEMs are properly ingesting logs and events from all externally-facing applications, such as Office365.


Sign Up For Your Free Account Today

Get your free account with Blumira and secure your Microsoft 365 environment in minutes. No credit card required.


Free Trial

How to Test Your SIEM Detections for O365 Password Spraying

MSOLSpray is a tool written to perform a password spray attack against users Office365 Account (from daft hack on GitHub).

Here’s an example from our engineering/security team at Blumira on how to test your password spraying detection for Windows OS/Active Directory, using DomainPasswordSpray:

  1. Download PasswordSpray.ps1 from https://github.com/dafthack/MSOLSpray
  2. Right-click PasswordSpray.ps1 > click “Run PowerShell as Admin”
  3. CD **directory where script has been saved**
  4. Get-ExecutionPolicy
  5. Set-ExecutionPolicy Unrestricted
  6. Import-Module .\DomainPasswordSpray.ps1
  7. Invoke-DomainPasswordSpray -UserList usernames.txt -Domain YOURDOMAIN.local -PasswordList usernames.txt -OutFile sprayed-creds.txt–

Note: There is a risk of account lockout associated with running this test, something to keep in mind if you get notified after testing your SIEM. Additionally, Blumira’s detection requires at least 30 users to test this detection against. We recommend pulling a list of around 100 users and then saving as usernames.txt for sake of ease.