The Email Phishing Protection Guide is a multi-part blog series written to walk you through the setup of many security focused features you may already own in Microsoft Windows, Microsoft Office 365, and Microsoft Azure. By implementing some or all of these items, an organization will increase their security posture against phishing email attacks designed to steal user identities. This guide is written for system administrators with skills ranging from beginner to expert.
Introduction: Email Phishing Protection Guide - Enhancing Your Organization's Security Posture
Part 1: Customize the Office 365 Logon Portal
Part 2: Training Users with the Office 365 Attack Simulator
Part 3: Deploy Multi Factor Authentication (MFA)
Part 5: Define Country and Region Logon Restrictions for Office 365 and Azure Services
Part 6: Deploy Outlook Plug-in to Report Suspicious Emails
Part 7: Deploy ATP Anti-Phishing Policies
Part 8: Deploy ATP Safe Link Policies
Part 9: Deploy ATP Safe Attachment Policies
Part 11: Monitor Phishing and SPAM Attacks in Office 365
Part 12: Discover Who is Attacking Your Office 365 User Identities
Part 13: Update Your User Identity Password Strategy
Part 14: Prevent Brute Force and Spray Attacks in Office 365
Part 15: Implement the Microsoft Azure AD Password Protection Service (for On-Premises too!)
Part 14: Discover Weak Passwords to Prevent Brute Force and Spray Attacks
In a previous blog I wrote about how it is time to change your user password strategies that have been in place for decades to something new and more complex. I provided several recommendations from a recent Microsoft Research paper about our recommendations based on years of research. In addition to these recommendations, there are additional actions you can take to discover weak passwords being used in your environment as well as how to prevent the use of common passwords used and that attackers are using in dictionary attacks. How about running an attack on your own environment to see just how vulnerable user passwords are?
See the different sections below to learn more about these valuable techniques to further secure your environment:
- Perform a Brute Force Password Attack
- Perform a Password Spray Attack
Perform a Brute Force Password Attack
A Brute Force password attack is typically launched against a targeted set of high profile users. These are users that could be part of a company's leadership team or someone with financial approving authorization. A dictionary of commonly used passwords is used to continuously try to guess the password of these specific users. Beyond the common passwords, also used are passwords based on a local sports team, the current weather season, the holiday season, project names used specifically within a company, etc.
While many have experienced this breach scenario, others can only imagine what could happen… Imagine the username and password of your Chief Financial Officer (CFO) was discovered by an attacker. That attacker could use the CFO's account to request a wire transfer to an account by someone in the financial department. The money would be wired to the (attackers) account and no one would think a thing of it. The email/request came from the CFO as it may have been done many times before. There is typically no insurance on wire transfers and since the receiving account is outside of your country, there is usually no way to recover the funds. This scenario is playing out time and time again resulting in wire fraud that can be detrimental to a business. This is a recent FBI article about the practice that has damages into the billions of dollars.
As I've stated in earlier blogs, remember that the attackers are extremely smart people who write complex algorithms used in these attacks. They have all the time in the world to attack you, yet only need to be successful in the username and password combination once. You must make sure none of these easy to guess passwords are being used in your environment. Using the Brute Force and Password Spray Password attack utilities in Microsoft Office 365, this is now possible and easy to run.
Before you proceed, note that neither of these attack utilities will display user passwords in the results. Rather, it will only identify individuals using weak or commonly used passwords. Users will be unaware this type of attack is running, so there will be no impact.
Note: You must enable Multi-Factor Authentication (MFA) on the account you will logon as to setup and execute the attack. MFA is not required on the accounts you will be attacking.
- As a global administrator with MFA enabled, logon to https://protection.office.com
- Expand Threat Management and then click on Attack Simulator.
-
Locate the middle option called Brute Force Password (Dictionary Attack).
![]()
- Click on the Launch Attack option.
-
Provide a name for the new attack and click Next.
![]()
-
Select several users to target or select a group of users. Names of users and groups will auto populate as you start to type them.
![]()
-
In the next screen, enter each password you would like to use in the attack. As you enter each password, press Enter. After each value entered, you will see a series of dots appear instead of the password just entered. You may also search for a dictionary of common passwords on the Internet to use that can then be uploaded for use. Be cautious in your search for these dictionary attacks as several I located did not appear safe for download and use.
![]()
-
Confirm that you are ready to start the attack and click Finish to begin.
![]()
-
After a few minutes, depending on how many users you are running the brute force password attack against and/or the number of passwords used, the attack details should be ready to view. On a refresh of the screen, you will find a note indicating the attack has been completed.
Click on the option to View Report to see the results
![]()
-
We can see in the report below that two of the users I selected in this attack were found to be using weak passwords or passwords in the specific list I entered. In all fairness, for this example I entered the passwords used for a few of these users in this demonstration tenant environment (these are fictitious accounts).
![]()
Summary: You have now identified the users in your organization using weak passwords. If these users are part of your company leadership team or anyone with financial approving capabilities, I recommend you work with them to develop a more complex password and enable MFA as soon as possible.
Perform a Password Spray Attack
A Password Spray Attack is similar to a Brute Force Attack, but instead of using a dictionary of possibly millions of password combinations at specific users, in this attack a single password is tried against a list of many valid Office 365 users.
Many password policies will detect multiple bad password logon attempts within a period of several minutes and lock an account for a specified period of time. Again, attackers are smart and know this policy well. To avoid detection, they will move down a long list of users for each password try so no single account has a multiple sign in attempts in a short period of time. Remember, an attacker has all the time in the world to guess the right combination of a username and password. Eventually, they will win if you allow easy to guess and commonly used passwords by your users.
With this in mind, let's setup a Password Spray Attack in the environment.
Note: You must enable Multi-Factor Authentication (MFA) on the account you will logon as to setup and execute the attack. MFA is not required on the accounts you will be attacking.
- As a global administrator with MFA enabled, logon to https://protection.office.com
- Expand Threat Management and then click on Attack Simulator.
-
Locate the middle option called Password Spray Attack.
![]()
- Click on the Launch Attack option.
-
Provide a name for the new password spray attack.
![]()
-
Enter the user names or groups of users you want to run this attack against.
![]()
-
Enter the password you want to use in this attack. You can only enter a single password in this attack that will then be used to logon to all the users you identified.
![]()
- Click Finish to begin the attack.
-
Click on the Refresh button at the top of this screen. Notice that the attack has been completed and you are given an option to View Report.
![]()
-
Click on the View Report option. Note that two of the users were breached by using the password examples I provided in this example.
![]()
Summary:
You now have a known list of users using a password that may be as common as just "Password!" You can now work with them with a request to change their password. It is also highly recommended to enable MFA on administrator and user accounts.