CypherCon 2024

What the hell is Azure AD Smart Lockout?

Nicholas Anastasi


Password spraying has always been one of the cornerstones of any penetration tester’s tool belt. With the advent of cloud-hosted services and a diabolical plot by Microsoft to lock all organizations into a lifelong monthly subscription service, attackers have begun to face modern security controls that are on to our nefarious tactics. Microsoft has built controls into their authentication endpoints to detect and block password spraying attempts at scale. The controls are on by default and protect every organization utilizing their services. The days of spraying Microsoft Exchange, accessing the VPN, and grabbing domain admin in under eight hours are over.

Microsoft has bragged for years now that they process millions of login attempts daily and have built security controls to detect even the most evasive password-spraying methodologies. These detection techniques depend on supervised machine-learning models. They have coined this machine learning model, which is mainly shrouded in mystery, Azure AD Smart Lockout. Let’s try to beat it.

Machine learning models used for detection always have an edge case and breaking point. Using modern web scraping technologies and unique evasion techniques, it is possible to very closely mimic real work user authentication attempts, making detection of password spraying extremely difficult for Microsoft.

During this talk, we will be breaking down what we believe is the process Microsoft uses to facilitate Azure AD Smart Lockout and attempt to bypass it to allow for password spraying attacks at scale. Using these techniques tactfully, an attacker could successfully guess their way into user accounts like in the olden days. We might not get domain administrator access, but we can still show a lot of impact.

Even if Microsoft successfully begins to detect these evasion techniques, and they will, you should walk away from this talk with a better knowledge of what SaaS platforms are doing to protect your user accounts. If we just figured this all out, actual threat groups and APTs probably have been doing it for years. At the end of the presentation, it should become clear that an in-depth defense strategy is critical to securing an organization, and depending on the big five to protect your users out of the box isn’t the way to go.

Nicholas Anastasi

Locking you out so you don’t need to work!! 

Nicholas Anastasi started his career in cybersecurity at Sprocket Security and hasn’t looked back. Continuous Penetration Testing is all he knows, and during his day-to-day, he leads the penetration testing team, writes a ton of Python, and works tirelessly to improve the Continuous Penetration Testing process. In his free time, Nicholas enjoys running, eating too much candy, and working on his homelab.