Password Spraying Is on the Rise and C-Suite Execs Are Being Targeted

Microsoft says Individuals at the top of the company hierarchy are most at risk, along with owners of privileged accounts.
Aaron Drapkin

There has been a sharp uptick in password spraying attacks targeting privileged cloud accounts and high-level company executives, Microsoft’s Detection and Response Team have said. 

High-level and C-suite executives are being increasingly targeted for a number of reasons, most notably their unadulterated access to all parts of a company network. 

When attacks of this nature are on the rise, it’s more important than ever to make sure you’re equipping yourself with a password manager to ensure you stand the best chance of warding off attackers, whether you’re an executive or not. 

What is password spraying?

Password spraying is one of several methods that hackers use to obtain a password and gain unauthorized access to an individual’s account. 

As the name suggests, it takes a scattergun approach to obtain credentials. Thousands of accounts are targeted with a few, commonly used and generally weak passwords with the knowledge that at least one or two will be successful. 

With login credentials from data breaches posted on the dark web so regularly, threat actors using password spraying techniques often also make use of a form of spraying (although this is perhaps better described as ‘credential stuffing’) where an individual’s password is used to access other accounts they own.  

Password spraying techniques can overcome security measures many sites institute, such as blocking a device/IP address that registered too many login attempts for one account.

It’s the opposite of brute-forcing, which is a much more frequent and widely-known technique. Brute-forcing involves focusing on a single account with hundreds or thousands of different passwords in the hope that one will be correct. 

Password spraying techniques can overcome security measures many sites institute such as blocking a device that has tried too many passwords on one account — only a couple of different passwords are tried for each targeted account. 

Why are high-level executives being targeted?

Hackers going after high-level executives is becoming the norm. C-suite executives are twelve times more likely to be targeted by cyber attacks than any other employee in their organization, according to Verizon’s 2019 Data Breach Investigations Report. Similarly, MobileIron’s “Trouble at the Top’ report, released in 2020, found that 84% of executives experienced a cyberattack in the twelve months prior. 

One reason that C-suite execs are more regularly targeted is that top-level employees are more likely to break security protocols. MobileIron also found that 76% of C-suite execs bypass at least one of their company’s security rules in the previous year, and that almost three-quarters of IT decision-makers say that “C-suite is the most likely group within their organization to ask for relaxed mobile security protocols”. 

It is easy to make exceptions to policy for staff who are in executive positions, but in reality, these are the most targeted accounts.” – Microsoft Detection and Response Team.

Aside from this, these individuals are often targeted simply because they’re the wealthiest person in any given business. If you’re a malicious actor planning to hack into someone’s bank account, for instance, why target low-level employees when you could go for something much more lucrative? 

This is linked to another reason why execs are targeted so commonly — they often have access to the majority of a company network, because they’re involved in all parts of the business and will likely have security clearances for a number of different departments. 

They’re also more likely to have high-level financial documents contained within their email cache, for instance. It’s not surprising, then, that privileged cloud accounts are also being targeted too, because they’ll let a hacker infiltrate an entire network much more efficiently. 

A rise in password spraying targeting executives specifically is nothing new: Spear Phishing, the act of targeting phishing emails towards ‘Whales’ or ‘Big Fish’ as they’re sometimes referred to, has been around for years.  

How can I protect myself against Password Spraying?

The first thing you can do is make sure you don’t have an easy password to guess. This means using letters, numbers, and symbols and at least 16 characters overall. An emerging view is that really, everyone should be using full phrases and sentences, as these are a lot less commonly used and harder to crack than just random words next to one another. 

As was mentioned at the start of this article, one really crucial piece of tech that will help you avoid attacks like password spraying and brute-forcing altogether is a password manager. Some password managers are specifically designed for businesses and will let you securely manage all of your passwords in one place.

The other major security measure you can do is to activate multi-factor authentication, be it a code received in a text or an authenticator app. Multi-factor authentication means that even if a hacker does manage to crack your password, they’ll need even more information to get into your account.

Following these tips will put you in a much better position to weather a password spraying attack, as well as a brute-force attack. But remember, it's paramount all businesses and individuals keep up to date with the latest tips and trends on this topic, as advice changes regularly – so keep an eye out for new information and you'll keep your accounts secure too.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at contact@tech.co

Aaron Drapkin is a Senior Writer at Tech.co. He has been researching and writing about technology, politics, and society in print and online publications since graduating with a Philosophy degree from the University of Bristol three years ago. As a writer, Aaron takes a special interest in VPNs and project management software. He has been quoted in the Daily Mirror, Daily Express, The Daily Mail, Computer Weekly, and the Silicon Republic speaking on various privacy and cybersecurity issues, and has articles published in Wired, Vice, Metro, The Week, and Politics.co.uk covering a wide range of topics.

Explore More See all news
close Thinking about your online privacy? NordVPN is Tech.co's top-rated VPN service See Deals