# Microsoft Confirms Password Spraying Attack — What You Need To Know
By Davey Winder, Senior Contributor
Forbes contributors publish independent expert analyses and insights. Davey Winder is a veteran cybersecurity writer, hacker and analyst.
**Beware of this Password Spraying Attack, Microsoft Warns**
A new password spraying attack has been confirmed by Microsoft, with the company's Threat Intelligence team identifying a hacking group known as Storm-1977 as the culprit behind the assault on cloud tenants in the education sector. This attack is particularly noteworthy due to its use of an automatic password hacking machine, which exploits unsecured workload identities to gain access to containerized environments.
With Microsoft research showing that 51% of such workload identities are completely inactive over the past year, it's no surprise that threat actors like Storm-1977 are taking advantage of this attack surface. The password spraying attack in question uses a command line interface tool called AzureChecker to download AES-encrypted data that reveals the list of password spray targets.
The attackers then accept an accounts.txt file containing username and password combinations used for the attack, as input. Using this information, they post the credentials to the target tenants for validation, which ultimately enables them to leverage a guest account in order to create a compromised subscription resource group and more than 200 containers that were used for cryptomining.
**The Problem of Password Spraying Attacks**
To combat password spraying attacks, security experts recommend a simple yet effective solution: eliminate passwords altogether. As Chris Burton, head of professional services at Pentest People, notes, "where possible, we should be using passkeys, they're far more secure." Lorri Janssen-Anessi, director of external cyber assessments at BlueVoyant agrees, stating that businesses should consider passwordless solutions due to low multi-factor authentication adoption and inherent human weakness in the security chain.
Brian Pontarelli, CEO of FusionAuth, adds that teams building the future of passwords are also those building the login pages of their apps. "Some of them are getting rid of passwords entirely," he says. While passkeys may be a polarizing issue among developers, they do offer a promising solution for securing online identities.
**Mitigating the AzureChecker Password Spraying Container Attack Threat**
Microsoft recommends the following mitigations in light of attackers like Storm-1977 increasingly using compromised identities for initial access as well as long-term persistence within an environment:
- Implement strong workload identity management practices, such as regularly rotating and monitoring identities.
- Use multi-factor authentication to prevent unauthorized access.
- Regularly review and update container images and dependencies to prevent exploitation of known vulnerabilities.
- Monitor for suspicious activity and implement incident response plans in the event of a breach.
By following these recommendations, organizations can significantly reduce their risk of falling victim to password spraying attacks like those carried out by Storm-1977.
**The Future of Passwords**
As the adoption of containers-as-a-service among organizations continues to rise, cybersecurity experts will need to stay vigilant in monitoring unique security threats that affect containerized environments. While passwords are no longer enough to keep us safe online, authentication methods using biometrics and secure tokens are becoming increasingly mainstream going forward.
In conclusion, password spraying attacks like the one carried out by Storm-1977 serve as a stark reminder of the importance of maintaining strong cybersecurity practices. By eliminating passwords altogether or implementing alternative authentication methods, organizations can significantly reduce their risk of falling victim to these types of attacks.