Password spraying in healthcare

A password spraying attack is a type of brute-force attack where cybercriminals attempt to gain unauthorized access to user accounts by systematically trying a limited set of commonly used passwords across a large number of accounts. Unlike traditional brute-force attacks, which repeatedly test different passwords for a single username until the correct one is found, password spraying takes a more subtle approach. Attackers avoid triggering security measures like account lockouts by trying the same weak password across multiple accounts before moving on to another.

These attacks exploit the tendency of users to set weak, easily guessable passwords such as "password," "123456," or "admin." Instead of targeting a specific individual, attackers aim for breadth, maximizing their chances of compromising at least some accounts by using widely used passwords. The technique is often employed against corporate networks, cloud services, and web applications.

According to a 2023 Verizon Data Breach Investigations Report (DBIR), 81% of hacking-related breaches are due to compromised credentials, indicating the effectiveness of attacks like password spraying. Additionally, the UK’s National Cyber Security Centre (NCSC) found that weak passwords remain one of the top causes of account compromise, with over 23 million breached accounts using "123456" as their password.

How password spraying attacks work

Password spraying attacks follow a methodical process designed to evade detection. Attackers first collect a list of potential usernames, often obtained from publicly available sources like company websites, social media, or previous data breaches. Once they have a list of valid usernames, they systematically attempt a small selection of weak passwords against multiple accounts.

One of the defining characteristics of password spraying is its "low and slow" approach. Attackers space out login attempts to avoid detection by security systems that monitor for repeated failed login attempts. They may also use botnets or proxy servers to distribute login attempts across different IP addresses, further reducing the likelihood of being flagged. In some cases, attackers combine password spraying with credential stuffing, testing previously leaked username-password pairs across multiple services, hoping that users have reused their credentials.

A 2024 study by IBM Security revealed that attackers using password spraying techniques can remain undetected for extended periods, with some campaigns lasting months without triggering security alerts. The study also found that organizations relying solely on password-based authentication were more vulnerable than those implementing multi-factor authentication (MFA).

Read also: 

• What is credential stuffing? 
• What is a botnet? 

Password spraying in healthcare

Iranian hackers are stepping up their attacks on healthcare organizations, using brute-force and password spraying tactics to break into accounts and access sensitive systems. Since October 2023, these attacks have hit not just healthcare but also public health agencies, government offices, IT companies, and even the energy sector, according to the Cybersecurity and Infrastructure Security Agency (CISA). Once inside, attackers often change multi-factor authentication settings to keep their access open and dig deeper into networks to steal more credentials. CISA warns that stolen login details frequently end up for sale on cybercriminal forums, where they can be used for more attacks.

Some hackers go even further, modifying security settings at hospitals, insurers, and health systems to maintain long-term access. Others use remote desktop software to control systems right under the noses of legitimate users. Many rely on password spraying, cycling through a list of commonly used passwords across multiple accounts to find a way in. These attacks exploit weak authentication policies, making it necessary for healthcare organizations to strengthen password security, watch for unusual login attempts, and phase out outdated login methods.

From a compliance standpoint, these attacks are more than just a cybersecurity issue, they're a HIPAA violation waiting to happen. The HIPAA security rule requires healthcare organizations to protect electronic protected health information (ePHI) from unauthorized access. Weak authentication practices put patient data at risk and open the door to fines, legal trouble, and reputational damage. Enforcing multi-factor authentication, monitoring for suspicious logins, and regularly updating security settings aren’t just good practices, they’re necessary steps to keep both systems and patient information safe

Read more: What is the HIPAA Security Rule? 

Real-world password spraying attacks

Microsoft

In February 2025, a botnet of over 130,000 infected systems began launching password spraying attacks on Microsoft 365 accounts, exploiting outdated authentication methods. SecurityScorecard researchers found that attackers primarily target non-interactive accounts relying on Basic Authentication, which lacks MFA protection. These logins, commonly used for machine-to-machine communication or legacy email protocols like POP, IMAP, and SMTP, often go unnoticed by security teams. Attackers use stolen credentials from infostealers to systematically test logins, attempting to gain unauthorized access. The scale of the attack indicates a widespread and persistent campaign affecting multiple Microsoft 365 tenants worldwide. Microsoft has been phasing out Basic Authentication, blocking it for Exchange Online in 2022 and personal Outlook accounts in 2024. Some exceptions still allow its use, leaving organizations exposed until the final shutdown scheduled for September 2025. Security experts urge businesses to replace outdated authentication methods, closely monitor login activity, and strengthen defenses against these ongoing attacks.

Citrix

On 19 March 2019, cybersecurity firm Resecurity reported that Iridium, a hacking group linked to Iran, breached Citrix’s systems as early as 2012 and remained inside for nearly a decade. During this time, the attackers allegedly stole between six to ten terabytes of highly sensitive data, targeting information tied to the White House communications agency, the U.S. military, the FBI, and numerous American corporations.

The attackers gained access through password spraying and then expanded their foothold, bypassing security measures to gain remote access to internal resources. Citrix’s Chief Information Security Officer (CISO), Stan Black, confirmed that the FBI attributed the attack to password spraying and noted that the hackers actively worked to circumvent additional security layers after their initial entry.

Security researchers at Resecurity reported that Iridium’s techniques allowed them to bypass two-factor authentication (2FA) and gain unauthorized access to Citrix’s virtual private network (VPN) and single sign-on (SSO) systems, further deepening their reach into the company’s infrastructure. Access to internal networks meant that the hackers could extract vast amounts of data over time without triggering immediate alarms.

Citrix, a major provider of virtualization, networking, SaaS, and cloud computing technologies, is widely used to secure enterprise and government IT environments. The fact that attackers were able to maintain access for so long raises concerns about how deeply embedded their presence was and how much data may have been compromised over the years.

How to prevent password spraying attacks

According to TechTarget, organizations can take several steps to defend against password-spraying attacks, a common technique hackers use to gain unauthorized access to accounts. One of the most effective ways to prevent these attacks is to “instill a strong password policy.” Longer passwords, the avoidance of common dictionary words, and mandatory changes to default passwords upon first login help strengthen security. Weak or predictable passwords create an easy entry point for attackers, making strong password requirements fundamental.

Another security measure involves “implementing login detection.” Monitoring login activity allows organizations to identify unusual behavior, such as attempts to access systems that a user has never logged into before. Unusual login patterns, multiple failed attempts, or access requests from unfamiliar locations may indicate a password-spraying attack. Reviewing log data regularly can help detect these threats early.

TechTarget also recommends establishing a “lockout policy.” Setting a limit on failed login attempts prevents repeated unauthorized access while still allowing legitimate users a reasonable margin for error. The policy should include an efficient process for restoring access to accounts when necessary. Without a well-configured lockout system, attackers can make repeated attempts to breach accounts without consequence.

Another effective defense is “implementing a CAPTCHA.” In cases where a strict lockout policy is not an option, a CAPTCHA can help differentiate between human users and automated bots. Requiring users to complete a challenge before logging in makes large-scale password-spraying attacks more difficult.

Activating “two-factor authentication” (2FA) provides an additional layer of security. Even if attackers obtain a user’s correct password, they will still need access to the second authentication factor, such as a code sent via email or text. According to TechTarget, “making sure that two-factor authentication is enabled on accounts prevents these types of attacks and makes it more difficult for hackers to make use of stolen credentials.” Without 2FA, compromised passwords provide an open gateway for attackers.

Using “a unique username format” instead of predictable structures can also improve security. Common username patterns, such as first name followed by last name, allow attackers to compile lists of potential targets with minimal effort. A nonstandard format makes it harder to guess credentials, reducing the likelihood of a successful attack.

A combination of strong passwords, login monitoring, lockout policies, CAPTCHAs, two-factor authentication, and unique usernames provides effective protection against password-spraying attacks. Implementing these security measures strengthens defenses and limits opportunities for attackers.

How network access control (NAC) helps prevent password spraying attacks

Network access control enforces security policies at the network level, ensuring only authorized users and compliant devices can access sensitive systems.

• Enforcing strong authentication: NAC can require MFA for all network logins, making it much harder for attackers to gain access with stolen credentials.
• User authentication and device profiling: NAC verifies both the identity of the user and the security posture of their device before granting access, reducing the risk posed by compromised credentials.
• Real-time monitoring and alerting: NAC solutions continuously monitor login activity and can detect unusual patterns, such as multiple failed login attempts from a single IP address or location.
• Dynamic access control: If suspicious behavior is detected, NAC can automatically restrict access, quarantining potentially compromised accounts until they are verified.
• Integration with SIEM and incident response systems: NAC can feed authentication data into security information and event management (SIEM) platforms, helping organizations quickly identify and respond to attacks.

Related: Access control systems in healthcare 

FAQs

How is password spraying different from credential stuffing?

Password spraying tests a few common passwords across many accounts, while credential stuffing uses previously leaked username-password pairs to gain unauthorized access.

Why do attackers use password spraying instead of traditional brute-force attacks?

Attackers use password spraying to avoid detection and account lockouts by trying a small number of widely used passwords across multiple accounts instead of rapidly guessing many passwords for a single account.

What types of accounts are most vulnerable to password spraying attacks?

Accounts with weak or default passwords, non-interactive service accounts, and those lacking multi-factor authentication (MFA) are at higher risk, particularly in enterprise environments.

How can businesses detect password spraying attacks?

Businesses should monitor authentication logs for patterns like repeated failed login attempts from different IP addresses targeting multiple accounts and implement security alerts for unusual login activity.

What immediate steps should organizations take if they detect a password spraying attack?

They should enforce password resets for affected accounts, enable multi-factor authentication, block suspicious IPs, review authentication logs for further indicators of compromise, and implement stricter login security policies.