Unmasking a slow and steady password spray attack

We caught an attack where the first successful login we saw for a user was malicious. How we could be sure this was an attack? After all, we had no baseline for this user … Let’s dive in. The User Timeline: 1 Failed Login —> 1 Successful Login This is all the data we had for the user at the time of the attack: 1-26-25: Failed login to Microsoft Azure CLI from Hurricane Electric LLC, a data center in Mexico 1-29-25: Successful login to Microsoft Azure CLI from different IP in the same data center From just these two logins, it’s pretty tricky to tell whether this is expected behavior or an attack. On one hand, command line logins usually come from people running cloud computing workloads in data centers. Programmatic workloads also often rotate IPs using tools like FireProx. On the other hand, this could be an attacker who compromised this account with a brute force script. Perhaps they’re using the data center to run a large scale attack campaign targeting users all over the w ... Read full article.