Over the past few weeks, Microsoft has been promoting digital security efforts as a part of its observance of the National Cyber Security Awareness Month (NCSAM) in October. It has announced new initiatives to promote cybersecurity awareness, unveiled Zero Trust Deployment Center, released an Adversarial ML Threat Matrix, and launched a fairly successful offensive against the malicious Trickbot botnet.
Now the company has stated that it has developed a new machine learning-based algorithm that detects password spray attacks with considerably improved performance than its previous mechanism.
Image via Abine
For those unaware, a password spray is a relatively crude and common form of cyberattack in which a malicious actor attacks thousands of IPs with a few commonly used passwords rather than trying numerous passwords against a single user. While this indicates that the success rate per account is quite nominal, it also means that the attack is very difficult to detect since it is spread out with such uneven consistency that a tenant may dismiss a couple of unsuccessful login attempts per account as part of the regular login pattern. So, this attack can only be detected across multiple tenants if you notice a single hash failing across numerous accounts.
To counter password spray attacks, Microsoft previously built a heuristic mechanism in which the company observed "the core failure in the system in… worldwide traffic" and notified organizations at risk. Now, the company has improved this mechanism by training a new supervised machine learning algorithm that uses features such as IP reputation, unfamiliar login properties, and other account deviations to detect when a tenant is under attack from password spray.
Microsoft claims that its new model has a 100% increase in recall compared to the heuristic algorithm. This means that it detects twice the number of compromised accounts. Furthermore, it also has a 98% precision, which means that if the model claims that an account has fallen victim to password spray, then this is almost certainly true across all cases.
The new model will be available soon to Azure AD Identity Protection customers, who will be able to utilize it in the portal and APIs for Identity Protection.