Attack your users – everyone else does

Attack Simulator on user passwords

Rabon Bussey @ Produhktiv

Your user account will need to have MFA enabled to run an attack. You will also need to be either a global administrator or a security administrator to run the attack.

We have two options that we can try:

Brute Force – also called a dictionary attack, uses one or many passwords against one or many user accounts.

Spray attacks – tries one password on one or many user accounts.

We will focus on the brute force attack. This will allow us to try multiple passwords vs. a single password. In my opinion, this gives us a better idea as to the strength of our user’s passwords.

One thing to be aware of when trying to test user passwords, if the user has MFA enabled, the results of the test will fail. This is the expected result as the password challenge can’t satisfy the request for a two-factor authentication challenge.

Create and launch a password attack campaign

  1. In the Admin Center, go to Security.

Threat management > Attack simulator

  1. On the Simulate attacks page, make one of the following selections based on the type of campaign you want to create:
    • In the Brute Force Password (Dictionary Attack) section, click Launch Attack or click Attack Details > Launch Attack.
    • In the Password Brute Force attack section, click Launch Attack.

  1. The Configure Password Attack wizard starts in a new flyout. In the Start step, enter a unique display name for the campaign, and then click Next.

  1. In the Target users step, do one of the following steps:
    • Click Address Book to select the recipients (users or groups) for the campaign. Each targeted recipient must have an Exchange Online mailbox.

    • If you click Filter and Apply without entering any search criteria, all recipients are returned and added to the campaign.

    • You can also use a file by clicking Import, then File Import to import a comma-separated value (CSV) or line-separated file of email addresses. Each line must contain the recipient’s email address.

When you’re finished, click Next.

  1. In the Choose attack settings step, choose what to do based on the campaign type:
    • Brute Force Password (Dictionary Attack): Do either of the following steps:
      • Enter passwords manually: In the Press enter to add a password box, type a password, and then press ENTER. Repeat this step as many times as necessary.

      • Upload passwords from a dictionary file: Click Upload to import an existing text file that contains one password on each line and a blank last line. The text file must be 10 MB or less in size, and can’t provide more than 30000 passwords.

When you’re finished, click Next.

  1. In the Confirm step, click Finish to launch the campaign. The passwords you specified are tried on users you specified.

By clicking on the arrow on the right, we get the details on our attack.

You can also export the results to a CSV file. This file might come in handy if you are tracking how your passwords are improving over time as you attempt to educate your users on creating better passwords.

This might be a great time to force the users in the Compromised Users list to change their password. Yes, I am assuming that you do some level of password education for your users, and if not, maybe this report is an indication you should.

By leveraging controlled password attacks on your user base, you can begin to improve your user password selection. While we realize that passwords aren’t, by any means enough, it gets us to a place to begin to build strength in our security.

I hope you can see a path to improve the passwords your organization is using by leveraging the tools we explored in this article.

If you would like to learn more about Password Protection in Azure AD, please check out my article here.