Microsoft Confirms Password Spraying Attack — What You Need To Know
Beware of these Microsoft password spraying attacks. In a recent warning, Microsoft has confirmed that a new password spraying attack by a hacking group identified only as Storm-1977 is targeting cloud tenants.
A billion stolen passwords are up for sale on dark web criminal marketplaces, and infostealer malware attacks continue to add to the number, making it no wonder that cybercriminals are turning to automatic password hacking machines in their nefarious campaigns. Microsoft has issued a warning after observing hackers taking particular advantage of unsecured workload identities in order to gain access to containerized environments.
"As the adoption of containers-as-a-service among organizations rises," said the Microsoft Threat Intelligence team, "Microsoft Threat Intelligence continues to monitor the unique security threats that affect containerized environments." One of these is the password spraying attack, specifically targeting cloud tenants in the education sector, that has now been pinned on the Storm-1977 threat group.
The password spraying attack exploited a command line interface tool called AzureChecker to "download AES-encrypted data that when decrypted reveals the list of password spray targets," said Microsoft. It then accepted an accounts.txt file containing username and password combinations used for the attack, as input. The successful attack enabled the Storm-1977 hackers to leverage a guest account in order to create a compromised subscription resource group and ultimately, more than 200 containers that were used for cryptomining.
Expert Advice: Eliminate Passwords
Talk to just about any cybersecurity professional, and they will tell you the solution to the problem of password spraying attacks is simple: eliminate passwords. While it's easier said than done in many instances, the move towards a passwordless future has already begun for many as they start on the passkey journey.
"Where possible, we should be using passkeys, they're far more secure, even if adoption is still patchy," said Chris Burton, head of professional services at Pentest People. Lorri Janssen-Anessi, director of external cyber assessments at BlueVoyant, agrees that "due to both low multi-factor authentication adoption and inherent human weakness in the security chain, businesses should also consider passwordless solutions."
"Authentication methods using biometrics and secure tokens will become increasingly mainstream going forward," said Janssen-Anessi. Brian Pontarelli, CEO of FusionAuth, added that "the teams who are building the future of passwords are the same ones that are building and managing the login pages of their apps. Some of them are getting rid of passwords entirely."
The Risks of Password Reuse
Using weak passwords in 2025 is akin to trying to stop a juggernaut with a sponge. What the Microsoft password spraying attack warning should tell us is that password reuse is bad, and compromised passwords can be used to facilitate further hacking activity.
Credential stuffing is something that isn't going not go away, and as Muhammad Yahya Patel, global security evangelist & advisor to the office of the chief technology officer at Check Point Software, warns, "newer threats are only accelerating this risk." With brute force attacks now happily using GPU power to drive the guessing of password combos and load password-stealing malware, years turn into minutes, minutes into seconds, and defenses start to look quite weak in many cases.
Mitigating The AzureChecker Password Spraying Container Attack Threat
Microsoft said that, in light of attackers such as Storm-1977 increasingly using compromised identities for initial access as well as long-term persistence within an environment, the following mitigations are recommended:
- Recent updates to Microsoft Defender for Cloud enhance its container security capabilities from development to runtime.
- Defender for Cloud now offers enhanced discovery, providing agentless visibility into Kubernetes environments, tracking containers, pods, and applications.
"These updates strengthen security posture through a process of continuous and granular scanning, Microsoft said, from build to runtime which helps to maintain compliance and secure configurations."