Most cyber security professionals know and understand the traditional attacks on passwords (i.e. brute force, dictionary, keylogger, etc.) but for the most part, those of us outside of the pen-testing community, when we think of password attacks we think about taking one userid and brute-forcing it with thousands of passwords. The problem with this particular attack method is that this would quickly lock out accounts and almost certainly set off a bunch of bells and whistles to the security team alerting them to an attacker's presence on their network. Well, it seems that the bad guys (and the pen-testing community as well) figured this out a long time ago and they now have a new favorite attack on passwords. Instead of brute-forcing passwords they now prefer to execute what is called a password spray attack.
One scenario where an organization may be vulnerable to password spraying is when an attacker (or pen tester), after successfully enumerating a list of valid users from the domain controllers, utilizes their knowledge of common password use and tries ONE carefully crafted password against ALL of the known user accounts (one password to many accounts). If the attack is not successful at first they will try again utilizing a different carefully crafted password, usually waiting about 30 minutes or so in between attempts so as to not trigger any time based account lockout thresholds. The password spray attack has quickly become a favorite technique of attackers and pen testers alike as it has proven to be very effective as they look to pivot and advance through a network after having established a foothold inside.
As the old saying goes "You are only as strong as your weakest link" and because people will always be the uncontrollable variable, continuing to use weak, easy to remember passwords, I would hazard a guess that most organizations are indeed vulnerable to a password spray attack.
