---
title: Password spray attack observed
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > Password spray attack observed
---

# Password spray attack observed

{% alert level="danger" %}
This rule is part of a beta feature. To learn more, [contact Support](https://docs.datadoghq.com/help/).
{% /alert %}
Classification:attackTactic:[TA0006-credential-access](https://attack.mitre.org/tactics/TA0006)Technique:[T1110-brute-force](https://attack.mitre.org/techniques/T1110) 
## Goal{% #goal %}

Detects password spray attacks where a single source IP attempts to authenticate against multiple user accounts.

## Strategy{% #strategy %}

This rule monitors authentication logs across multiple platforms including Okta, AWS CloudTrail, Auth0, Microsoft 365. Password spray attacks involve attempting authentication against many different user accounts with a small number of common passwords, allowing attackers to avoid account lockout policies while attempting to compromise credentials across an organization.

## Triage & Response{% #triage--response %}

- Examine the failed authentication attempts from `{{@ocsf.src_endpoint.ip}}` to verify the activity represents malicious behavior rather than legitimate user issues.
- Review the targeted usernames to determine if they follow organizational naming conventions or represent high-value accounts.
- Check if any successful authentication attempts occurred from the same source IP during the detection timeframe to identify potentially compromised accounts.
- Check if any other IP addresses are exhibiting the same pattern.
- Verify if the source IP address belongs to known organizational infrastructure, VPN endpoints, or external locations.
- Analyze the timing patterns and frequency of failed attempts to distinguish between automated tools and manual authentication attempts.