Running your first Simulated Office 365 Attack: Password Spray Attack

In the last couple of posts, we looked at executing two simulated attacks using the “Attack Simulator” tool within Office 365. First, we used “Spear Fishing”, then a “Brute Force Password” attach. Each option serves different purposes, one to help train the users, the second for IT/Security to gauge the current state of passwords and their complexity.

Spear Fishing
https://www.helloitsliam.com/2018/05/14/running-your-first-simulated-office-365-attack-spear-phishing/

Brute Force Password
https://www.helloitsliam.com/2018/07/01/running-your-first-simulated-office-365-attack-brute-force-password-dictionary-attack/

For this post we will look at running a “Password Spray Attack” as the simulated attack. A “Password Spray” attack is slightly different in that, instead of using a provided password list, it will attempt to try commonly used passwords against a list of user accounts. Once again to start this, access the “Security and Compliance” center with your Office 365 Tenant, then expand “Threat Management” and choose “Attack simulator”.

From the options, press the “Launch Attack” button to begin the wizard for the chosen attack, in this case for the “Password Spray” attack.

Name the new campaign as “Password Spray Attack” and then press “Next”.

Select the target users, by choosing specific user accounts or groups.

Once you have selected the users or groups, press “Next” then set the password properties as needed. This attack requires a single password only, then press “Next”.

Once completed press the “Finish” button and the attack is initiated.

This attack does not send an email to the end user, it simply tries to access the account, using the list of passwords that is supplied. Once the attack is complete, the status is updated, and a “View Report” link is then available. You can click the “View Report” or the “Attack Details” link to see the results from the attack.

Clicking the “Attack Details” link will display a quick overview and then a link to see further details.

Clicking on the result will then display the specific details. This is the same result you see when you click the link “View Report”.

This attack is really for Security and IT to get the current state of passwords across the organization, allowing either training or new policies to be defined.