GCIH · Question #735
Which system is an attacker targeting by running the following command? PS > Invoke-MSOLSpray -UserList ./users.txt -Password Clippers22
The correct answer is A. Microsoft 365 cloud environment. Invoke-MSOLSpray is a PowerShell password-spraying tool that targets Microsoft Online (Azure AD) authentication endpoints used by Microsoft 365 services.
Question
Which system is an attacker targeting by running the following command? PS > Invoke-MSOLSpray -UserList ./users.txt -Password Clippers22
Options
- AMicrosoft 365 cloud environment
- BWindows systems on the local subnet
- CThe organization's MSQL server
- DThe local domain controller
How the community answered
(30 responses)- A87% (26)
- B7% (2)
- C3% (1)
- D3% (1)
Why each option
Invoke-MSOLSpray is a PowerShell password-spraying tool that targets Microsoft Online (Azure AD) authentication endpoints used by Microsoft 365 services.
MSOLSpray (Microsoft Online Spray) sends a single password against a list of usernames to Azure AD's cloud authentication endpoints, which underpin Microsoft 365 services including Exchange Online, SharePoint, and Teams. By spraying one password at a time across many accounts, it attempts to evade per-account lockout policies while gaining unauthorized Microsoft 365 access.
MSOLSpray communicates exclusively with Microsoft's cloud-based authentication APIs over the internet and has no mechanism to target or enumerate Windows hosts on a local network subnet.
MSOLSpray contains no functionality for database attacks; it is purpose-built for Microsoft Online credential spraying and cannot interact with SQL server authentication protocols.
The tool bypasses on-premises Active Directory and local domain controllers entirely by authenticating directly against Azure AD cloud endpoints, making the local domain controller irrelevant to the attack.
Concept tested: MSOLSpray password spraying against Microsoft 365 Azure AD
Source: https://github.com/dafthack/MSOLSpray
Topics
Community Discussion
No community discussion yet for this question.