{"id":99393,"date":"2021-10-26T09:00:22","date_gmt":"2021-10-26T16:00:22","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=99393"},"modified":"2023-05-23T21:31:47","modified_gmt":"2023-05-24T04:31:47","slug":"protect-your-business-from-password-sprays-with-microsoft-dart-recommendations","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/26\/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations\/","title":{"rendered":"Protect your business from password sprays with Microsoft DART recommendations"},"content":{"rendered":"<p>Over the past year, the Microsoft Detection and Response Team (DART), along with Microsoft\u2019s threat intelligence teams, have observed an uptick in the use of <a href=\"https:\/\/docs.microsoft.com\/en-us\/security\/compass\/incident-response-playbook-password-spray\" target=\"_blank\" rel=\"noopener\">password sprays<\/a> as an attack vector. This threat is a moving target with techniques and tools always changing, and Microsoft continues to find new ways to detect these types of attacks and help protect its customers.<\/p>\n<p>In this blog, we are going to define what password sprays are, detail DART\u2019s investigation techniques and approach to responding to password spray attacks, and outline our recommendations for protecting against them.<\/p>\n<h2>Why are identity-based attacks suddenly so popular?<\/h2>\n<p>Previously, threat actors focused on attacking computers to gain access into an environment. As software becomes more intelligent at detecting abnormal programs and vulnerabilities, attacks against our customers are rapidly becoming more focused on breaking into identities rather than breaking into a network.<\/p>\n<p>The approach to securing user accounts is well-intentioned, but it is often incomplete, with a large investment that typically goes into areas such as complex password policies and limiting access to resources from networks perceived as secure. While these mitigations are necessary best practices, in the case of a compromised trusted user, they are ineffective at preventing unauthorized access.<\/p>\n<p>This is why identity attacks have become so popular. Once attackers have gained the credentials to an account, they can access any sensitive resources that users can access and have the malicious activity appear as normal. This creates a repeating cycle attack pattern, where one compromised account can lead to access to resources where additional credentials can be harvested, and thus even further resource access.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-99711 size-full\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Identity-based-attack-lifecycle.jpg\" alt=\"Graphic shows a repeating identity-based attack lifecycle pattern.\" width=\"500\" height=\"449\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Identity-based-attack-lifecycle.jpg 500w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Identity-based-attack-lifecycle-300x269.jpg 300w\" sizes=\"(max-width: 500px) 100vw, 500px\" \/><\/p>\n<p><em>Figure 1. Identity-based attack lifecycle.<\/em><\/p>\n<h2>The anatomy of a password spray attack<\/h2>\n<p>To understand how to protect against, and investigate a password spray attack, it is important to understand what it is. Password spray attacks are authentication attacks that employ a large list of usernames and pair them with common passwords in an attempt to \u201cguess\u201d the correct combination for as many users as possible. These are different from brute-force attacks, which involve attackers using a custom dictionary or wordlist and attempting to attack a small number of user accounts.<\/p>\n<p>Sophisticated password spray techniques include some of the following qualities:<\/p>\n<h3>Password spray methods:<\/h3>\n<ul>\n<li><strong>Low and slow:<\/strong> Patience is key for a determined threat actor. The most sophisticated password sprays will use several individual IP addresses to attack multiple accounts at the same time with a limited number of curated password guesses.<\/li>\n<li><strong>Availability and reuse:<\/strong> With a new breach being announced publicly every month, the amount of compromised credentials posted on the dark web is rising rapidly. Attackers can utilize this tactic, also called \u201ccredential stuffing,\u201d to easily gain entry because it relies on people reusing passwords and usernames across sites.<\/li>\n<\/ul>\n<h3>Password spray identifiers:<\/h3>\n<ul>\n<li><strong>User agents:<\/strong> This is not an immutable variable and is simple to spoof, so don\u2019t always rely on the user agent string to tell the truth. That said, some example user agents often seen during a password spray are:\n<ul>\n<li>BAV2ROPC \/ CBAinPROD \/ CBAinTAR: These user agent strings represent a connection from a client that uses legacy authentication, a popular tool for a password spray attack.<\/li>\n<li>Firefox\/Chrome: More sophisticated password sprays using REST APIs often use headless browsers [a browser that doesn&#8217;t have a graphical user interface (GUI)] to target the API endpoints.<\/li>\n<li>Python requests package: This is an automation library that can be used to generate requests to a website without user interaction.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Targets:<\/strong> Password sprays have often targeted applications that are unsecured and use legacy authentication protocols. This is due to the fact that these protocols don\u2019t offer a rich audit trail and are not able to enforce a <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/identity-access-management\/mfa-multi-factor-authentication#:~:text=Multifactor%20authentication%20(MFA)%20adds%20a,a%20code%20received%20by%20phone.\" target=\"_blank\" rel=\"noopener\">multifactor authentication<\/a> (MFA) requirement. More recently, things have changed somewhat, and we are seeing attackers switch to targeting applications that utilize the REST API, often considered to be more secure. Some commonly targeted applications are:\n<ul>\n<li>Exchange ActiveSync<\/li>\n<li>IMAP, POP3, SMTP Auth<\/li>\n<li>Exchange Autodiscover<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Microsoft has <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/azure-active-directory-identity\/advancing-password-spray-attack-detection\/ba-p\/1276936\" target=\"_blank\" rel=\"noopener\">implemented new and improved password spray detections<\/a> over the last year to help continue to address password spray attacks.<\/p>\n<h2>Help! I\u2019ve been sprayed!<\/h2>\n<p>DART is no stranger to password spray attacks. When it comes to investigating cybersecurity incidents, our team\u2019s primary goal is to establish the facts and see where they lead us. Here are some of the questions our team typically considers at the start of each password spray attack incident:<\/p>\n<ul>\n<li><strong>\u201cWas the password spray successful?\u201d<\/strong> This is perhaps the most important question to ask because it determines whether there is potential unauthorized access present in the environment. If it was determined to be successful, the investigator can continue down the list to gain additional information to understand how to proceed.<\/li>\n<li><strong>\u201cWhich users are affected?\u201d<\/strong> Enumerating the users that were victims of the password spray attack can change the direction of our investigation. For example, if the list of users affected is particularly targeted (maybe just in one department or all the staff members of a particular project), we can assume our threat actor knows what they are looking for and has done their research. This helps us adapt an action plan based on the permissions and access rights that a particular user has. We call this \u201cscoping\u201d the incident\u2014in other words, understanding what machines and resources the attackers accessed, and determining the number of compromised users. This knowledge helps us with remediation and preventing attackers from entering the environment again in the future.<\/li>\n<li><strong>\u201cWere administrative accounts compromised?\u201d<\/strong> If administrative control over a tenant is lost, the situation changes. A compromised tenant is a very different situation from a compromised user and has the potential to be much more damaging, so this is an important distinction for us to make.<\/li>\n<li><strong>\u201cWhat indicators do we have?\u201d<\/strong> Information such as the time the spray was conducted, targeted user agent and endpoint, IP addresses, and other identifying information can help us understand if this was carried out by an opportunistic attacker or determined human adversary. There is also the possibility that we can use our threat intelligence to identify some potential next steps our adversary may have taken and the overall scope of compromise.<\/li>\n<\/ul>\n<p>Our <a href=\"https:\/\/docs.microsoft.com\/en-us\/security\/compass\/incident-response-playbook-password-spray\" target=\"_blank\" rel=\"noopener\">password spray investigations playbook<\/a> contains in-depth guidance around investigating password spray attacks and offers information about Microsoft Active Directory Federation Services (ADFS), Microsoft&#8217;s solution for single sign-on (SSO), and web-based authentication.<\/p>\n<h2>Am I a target?<\/h2>\n<p>It\u2019s important to understand the targets of the password spray to correctly determine the scope of the potential compromise. Recently, DART has seen an uptick in cloud administrator accounts being targeted in password spray attacks, so understanding the targets is a good place to start. Enumerate the users with the below permissions as the initial list to investigate, and then add users to it as the analysis proceeds:<\/p>\n<ul>\n<li>Security administrator<\/li>\n<li>Exchange service administrator<\/li>\n<li>Global administrator<\/li>\n<li>Conditional Access administrator<\/li>\n<li>SharePoint administrator<\/li>\n<li>Helpdesk administrator<\/li>\n<li>Billing administrator<\/li>\n<li>User administrator<\/li>\n<li>Authentication administrator<\/li>\n<li>Company administrator<\/li>\n<\/ul>\n<p>In addition to privileged accounts such as these, identities with a high profile (such as C-level executives), or identities with access to sensitive data are also popular targets. It is easy to make exceptions to policy for staff who are in executive positions, but in reality, these are the most targeted accounts. Be sure to apply protection in a democratic way to avoid creating weak spots in configuration.<\/p>\n<h2>How can I check for suspicious activity?<\/h2>\n<p>To perform a thorough cloud investigation, exportation of logs and installation of PowerShell modules is inevitable and discussed in detail in our password spray investigation playbook, but there are other methods to gain insights quickly.<\/p>\n<h3>Microsoft Cloud App Security<\/h3>\n<p>The <a href=\"https:\/\/signup.microsoft.com\/get-started\/signup?OfferId=757c4c34-d589-46e4-9579-120bba5c92ed&amp;ali=1&amp;culture=en-us&amp;country=US&amp;products=757c4c34-d589-46e4-9579-120bba5c92ed\" target=\"_blank\" rel=\"noopener\">Microsoft Cloud App Security<\/a> portal is a great first place to check for suspicious activity. If you have Cloud App Security enabled, follow these steps to check for suspicious activity.<\/p>\n<ol>\n<li>Go to the <a href=\"https:\/\/signup.microsoft.com\/get-started\/signup?OfferId=757c4c34-d589-46e4-9579-120bba5c92ed&amp;ali=1&amp;culture=en-us&amp;country=US&amp;products=757c4c34-d589-46e4-9579-120bba5c92ed\" target=\"_blank\" rel=\"noopener\">Cloud App Security<\/a> portal and sign in with the Security Administrator credentials.<\/li>\n<li>Go to <strong>Alerts<\/strong>.<\/li>\n<li>Filter for the users that you enumerated in the first step, check for any alerts associated with these users.<\/li>\n<\/ol>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-99411\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/MCAS-spray-attacks.png\" alt=\"Screenshot showing sample alerts in the Microsoft Cloud App Security alerts page. \" width=\"1102\" height=\"433\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/MCAS-spray-attacks.png 1102w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/MCAS-spray-attacks-300x118.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/MCAS-spray-attacks-1024x402.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/MCAS-spray-attacks-768x302.png 768w\" sizes=\"(max-width: 1102px) 100vw, 1102px\" \/><\/p>\n<p><em>Figure 2. Sample alerts in Cloud App Security related to possible password spray attacks.<\/em><\/p>\n<p>Here are some alerts that could be associated with a password spray incident:<\/p>\n<ul>\n<li>Activity from anonymous IP address.<\/li>\n<li>Activity from infrequent country.<\/li>\n<li>Activity from suspicious IP address.<\/li>\n<li>Impossible travel.<\/li>\n<\/ul>\n<p>We describe additional Cloud App Security alerts in <a href=\"https:\/\/docs.microsoft.com\/en-us\/cloud-app-security\/investigate-anomaly-alerts\" target=\"_blank\" rel=\"noopener\">our documentation<\/a>.<\/p>\n<h3>User investigation priority<\/h3>\n<p>For the accounts of interest, check the Cloud App Security investigation priority by navigating to the account under <strong>Users and accounts<\/strong>. The investigation priority score is based on security alerts, abnormal activities, and potential business and asset impact related to each user to help you assess how urgent it is to investigate each specific user.<\/p>\n<ol>\n<li>Go to the <a href=\"http:\/\/portal.cloudappsecurity.com\" target=\"_blank\" rel=\"noopener\">Cloud App Security portal<\/a>.<\/li>\n<li>Go to <strong>Investigate<\/strong> then <strong>Users and accounts<\/strong>.<\/li>\n<li>Check the investigation priority for all users of interest and, if needed, view related activity.<\/li>\n<\/ol>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-99417\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/MCAP-Investigation-priority.png\" alt=\"Screenshot displays a sample investigation priority page in Microsoft Cloud App Security. \" width=\"1234\" height=\"810\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/MCAP-Investigation-priority.png 1234w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/MCAP-Investigation-priority-300x197.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/MCAP-Investigation-priority-1024x672.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/MCAP-Investigation-priority-768x504.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/MCAP-Investigation-priority-200x130.png 200w\" sizes=\"(max-width: 1234px) 100vw, 1234px\" \/><\/p>\n<p><em>Figure 3. The user page in Cloud App Security shows the investigation priority.<\/em><\/p>\n<h3>Azure Active Directory<\/h3>\n<p><a href=\"https:\/\/azure.microsoft.com\/en-us\/services\/active-directory\/#overview\" target=\"_blank\" rel=\"noopener\">Microsoft Azure Active Directory<\/a> (Azure AD) incorporates behavioral analysis algorithms into its detection logic natively, so there is a chance that an alert already exists about a password spray attack. Below are several places to check within the portals before going through the hassle of log exporting. Use the indicators of compromise (IOCs) from these alerts to further pivot such as user, IP address, time range, and more.<\/p>\n<h3>Identity Protection<\/h3>\n<p><a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/identity-protection\/overview-identity-protection\" target=\"_blank\" rel=\"noopener\">Identity Protection<\/a> is a tool in Azure AD designed to identify potential risky behavior surrounding authentication events. Users with an Azure AD Premium P2 license may follow these steps to check for suspicious activity:<\/p>\n<ol>\n<li>Go to the <a href=\"http:\/\/portal.azure.com\/\" target=\"_blank\" rel=\"noopener\">Microsoft Azure portal<\/a>.<\/li>\n<li>Use the search bar to locate <strong>Azure AD<\/strong>.<\/li>\n<li>Select <strong>Security<\/strong> from the left blade.<\/li>\n<li>Review the reports under <strong>Risky sign-ins<\/strong> and <strong>Risky users<\/strong> for any of the users that you enumerated from the list.<\/li>\n<\/ol>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-99420 size-full\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Azure-AD-risky-behavior.png\" alt=\"Screenshot shows the risky sign-ins page in the Microsoft Azure portal.\" width=\"1100\" height=\"948\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Azure-AD-risky-behavior.png 1100w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Azure-AD-risky-behavior-300x259.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Azure-AD-risky-behavior-1024x883.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Azure-AD-risky-behavior-768x662.png 768w\" sizes=\"(max-width: 1100px) 100vw, 1100px\" \/><\/p>\n<p><em>Figure 4. Azure AD can display a list of risky sign-ins to identify potential risky behavior.<\/em><\/p>\n<h3>Revoke user access<\/h3>\n<p>If an identity is considered compromised, action should be taken immediately to <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/enterprise-users\/users-revoke-access\" target=\"_blank\" rel=\"noopener\">ensure that access is revoked<\/a>. This should include disabling the user\u2019s device(s), a password reset, account disablement, and token revocation in Azure AD.<\/p>\n<h2>Recommendations for protecting against password sprays<\/h2>\n<p>Password sprays are worrisome but when we look at the statistics according to the Digital Shadows report \u201cFrom Exposure to Takeover,\u201d there are over five billion unique credential pairs available for sale worldwide, with new caches of credentials being exposed on a regular basis.<sup>1<\/sup> This kind of volume tells us that we should assume that a breach will occur and consider that a compromised username or password in any given organization is inevitable.<\/p>\n<p>This doesn\u2019t mean we should give up on passwords altogether, but the rabbit hole of password policies, and the potentially endless discussions about complexity, length, and \u201ccorrect battery horse staple\u201d (Don\u2019t know what we are talking about? Look it up!) should be avoided in favor of applying <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/zero-trust\" target=\"_blank\" rel=\"noopener\">Zero Trust<\/a> logic to identity and authentication. This includes areas like:<\/p>\n<ul>\n<li><strong>MFA and legacy authentication:<\/strong> You have probably heard this recommendation before: disabling legacy authentication and enabling MFA for all users is a critical step in <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/security\/fundamentals\/steps-secure-identity\" target=\"_blank\" rel=\"noopener\">securing your identity infrastructure<\/a> and should be a priority if it has not already been done.<\/li>\n<li><strong>Rethinking the password policy:<\/strong> The future is a world without passwords because it is too common that people reuse them between applications or create easily discoverable passwords. <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/identity-access-management\/passwordless-authentication\" target=\"_blank\" rel=\"noopener\">Passwordless authentication<\/a> methods such as the <a href=\"https:\/\/support.microsoft.com\/en-us\/account-billing\/how-to-use-the-microsoft-authenticator-app-9783c865-0308-42fb-a519-8cf666fe0acc\" target=\"_blank\" rel=\"noopener\">Microsoft Authenticator App<\/a>, <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/identity-protection\/hello-for-business\/hello-overview\" target=\"_blank\" rel=\"noopener\">Windows Hello for Business<\/a>, and <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/authentication\/concept-authentication-passwordless#fido2-security-key-providers\" target=\"_blank\" rel=\"noopener\">Fast Identity Online (FIDO) keys<\/a> help improve both the user experience and security level of an authentication event. If a password must be used, ensure that the password policy does not allow key phrases related to the organization or commonly used passwords. Having a password policy of eight characters with an uppercase, lowercase, number, and symbol, is no longer secure with today\u2019s graphics processing unit (GPU) capabilities. Attackers can crack a password with these elements in a matter of hours. 20-character small sentences may be easy for users to remember and are more secure than a complex 8-character password!<\/li>\n<li><strong>MFA registration:<\/strong> The most effective way to protect against a password spray leading to a successful authentication is by using MFA. However, if the user is enabled for MFA, but never completes the registration process, they are left unprotected. Even worse, if a threat actor signs in and is prompted for MFA, they can register their own MFA details. This is an excellent cover for a threat actor because the authentication event is much less suspicious when MFA is satisfied. DART doesn\u2019t recommend using location-based MFA policies (like only applying MFA when outside the corporate network) as this leaves room for this kind of loophole. Additionally, DART recommends that customers configure an <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/identity-protection\/howto-identity-protection-configure-mfa-policy\" target=\"_blank\" rel=\"noopener\">MFA registration policy<\/a> if possible to ensure that all enabled users register for MFA.<\/li>\n<li><strong>Mailbox auditing:<\/strong> Use <a href=\"https:\/\/github.com\/o365soa\/Scripts\/blob\/master\/Configure-MailboxAuditLogging.ps1\" target=\"_blank\" rel=\"noopener\">this script<\/a> to ensure that the recommended mailbox auditing actions are configured on every mailbox in the organization. This ensures that post-exploitation auditing is as robust as possible, allowing for a more effective investigation.<\/li>\n<li><strong>Administrative accounts:<\/strong> These are the keys to the kingdom and should have an <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/roles\/best-practices\" target=\"_blank\" rel=\"noopener\">extra level of protection<\/a>. Ensure that administrative accounts are cloud-only and are not synchronized from Activity Directory. MFA should always be applied, and emergency access accounts should be created also.<\/li>\n<li><strong>Policy gaps:<\/strong> Ensuring that weaknesses do not exist in your identity policies and processes is critical. All too often, DART finds that small misconfigurations can lead to an entry point for a threat actor. Let\u2019s explore this idea further:\n<ul>\n<li><strong>Conditional Access policies:<\/strong> These policies are a great way to apply access control logic to complex environments, helping customers walk the tightrope between protecting the organization and allowing staff to get on with their jobs. With complexity comes risk, and as previously mentioned, misconfigurations are all too common. Some pitfalls to watch out for:\n<ul>\n<li><strong>Cloud Apps:<\/strong> Let\u2019s look at a real-world example. A DART customer experienced a cloud identity breach and had in place an MFA policy for administrative accounts, applied to the Office 365 cloud app. However, the threat actor used the Azure Service Management API to connect to the environment. This cloud app was outside of the scope of the MFA Conditional Access policy, giving the threat actor access to the environment without requiring MFA. Make sure to have in place a Conditional Access policy that covers all cloud apps and applies MFA to give you a base level of protection.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p style=\"padding-left: 80px;\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-99423 aligncenter\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Conditional-Access-policy-in-Azure-AD.png\" alt=\"Screenshot showing how to configure the Conditional Access policy in Azure AD.\" width=\"587\" height=\"372\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Conditional-Access-policy-in-Azure-AD.png 587w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Conditional-Access-policy-in-Azure-AD-300x190.png 300w\" sizes=\"(max-width: 587px) 100vw, 587px\" \/><\/p>\n<p style=\"padding-left: 160px;\"><em>Figure 5. Conditional Access policy in Azure AD.<\/em><\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><strong>Policy exceptions:<\/strong> During day-to-day operations, changes are often made to a product configuration to facilitate business functions. One typical example of this kind of change is an account being removed or exempted from a security policy. This is something to be careful of\u2014policy exceptions often begin as a temporary change but end up being permanent for one reason or another. It is also not uncommon for DART to observe exceptions for sensitive or high-profile accounts; the very type of account that makes an ideal target for cybercriminals. Use processes and technical solutions to ensure those policy exceptions are temporary and tracked. If they must remain, put in place some mitigating controls to reduce the attack surface of that particular account.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Assume breach<\/h2>\n<p><a href=\"https:\/\/docs.microsoft.com\/en-us\/security\/compass\/incident-response-playbook-password-spray\" target=\"_blank\" rel=\"noopener\">Password spray attacks<\/a> are the perfect combination of low effort and high value for attackers, and even the most secure companies are likely to fall victim to them. However, preventing catastrophic damage is not a hopeless endeavor. By assessing both sides of the situation, the protection against the attack as well as the capabilities to investigate and remediate an attack, you can ensure a substantial amount of coverage against password spray destruction.<\/p>\n<p>DART utilizes these strategies for everyday investigations. We encourage our customers to adopt <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/identity-access-management\/passwordless-authentication\" target=\"_blank\" rel=\"noopener\">passwordless technology<\/a> and <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/identity-access-management\/mfa-multi-factor-authentication\/\" target=\"_blank\" rel=\"noopener\">enable MFA<\/a>, regardless of the provider. While attackers are most likely continuously exploring new ways to break into an environment, by assuming breach, we can help to safeguard against inevitable detrimental harm.<\/p>\n<h2>Learn more<\/h2>\n<p>Want to learn more about DART? Read our past <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/microsoft-detection-and-response-team-dart-blog-series\/\" target=\"_blank\" rel=\"noopener\">blog posts<\/a>.<\/p>\n<p>To learn more about Microsoft Security solutions,&nbsp;<a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/solutions\" target=\"_blank\" rel=\"noopener\">visit our&nbsp;website<\/a>.&nbsp;Bookmark the&nbsp;<a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\" target=\"_blank\" rel=\"noopener\">Security blog<\/a>&nbsp;to keep up with our expert coverage on security matters. Also, follow us at&nbsp;<a href=\"https:\/\/twitter.com\/@MSFTSecurity\" target=\"_blank\" rel=\"noopener\">@MSFTSecurity<\/a>&nbsp;for the latest news and updates on cybersecurity.<\/p>\n<p>&nbsp;<\/p>\n<hr>\n<p><sup>1<\/sup><a href=\"https:\/\/resources.digitalshadows.com\/whitepapers-and-reports\/from-exposure-to-takeover\" target=\"_blank\" rel=\"noopener\">From Exposure to Takeover: The 15 billion stolen credentials allowing account takeover<\/a>, Digital Shadows Photon Research Team, Digital Shadows.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This blog discusses DART\u2019s investigation techniques and approach to responding to password spray attacks while outlining recommendations for protecting against them.<\/p>\n","protected":false},"author":106,"featured_media":99441,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"content-type":[3661],"topic":[3673,3674,3678],"products":[],"threat-intelligence":[],"tags":[],"coauthors":[2064],"class_list":["post-99393","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","content-type-industry-trends","topic-identity-and-access-management","topic-incident-response","topic-multifactor-authentication"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Protect your business from password sprays with Microsoft DART recommendations | Microsoft Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/26\/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Protect your business from password sprays with Microsoft DART recommendations | Microsoft Security Blog\" \/>\n<meta property=\"og:description\" content=\"This blog discusses DART\u2019s investigation techniques and approach to responding to password spray attacks while outlining recommendations for protecting against them.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/26\/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2021-10-26T16:00:22+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-05-24T04:31:47+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/WIN22_Productivity_121.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"900\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Microsoft Incident Response\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/WIN22_Productivity_121.jpg\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Microsoft Incident Response\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"11 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/26\/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/26\/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/detection-and-response-team-dart\/\",\"@type\":\"Person\",\"@name\":\"Microsoft Incident Response\"}],\"headline\":\"Protect your business from password sprays with Microsoft DART recommendations\",\"datePublished\":\"2021-10-26T16:00:22+00:00\",\"dateModified\":\"2023-05-24T04:31:47+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/26\/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations\/\"},\"wordCount\":2745,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/26\/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/WIN22_Productivity_121.jpg\",\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/26\/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/26\/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations\/\",\"name\":\"Protect your business from password sprays with Microsoft DART recommendations | Microsoft Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/26\/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/26\/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/WIN22_Productivity_121.jpg\",\"datePublished\":\"2021-10-26T16:00:22+00:00\",\"dateModified\":\"2023-05-24T04:31:47+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/26\/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/26\/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/26\/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/WIN22_Productivity_121.jpg\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/WIN22_Productivity_121.jpg\",\"width\":1200,\"height\":900,\"caption\":\"Man sitting at a wooden table typing on a laptop while using Microsoft Teams within Windows 365. Shown on Windows 11.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/26\/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Protect your business from password sprays with Microsoft DART recommendations\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"name\":\"Microsoft Security Blog\",\"description\":\"Expert coverage of cybersecurity topics\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\",\"name\":\"Microsoft Security Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Security Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Protect your business from password sprays with Microsoft DART recommendations | Microsoft Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/26\/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations\/","og_locale":"en_US","og_type":"article","og_title":"Protect your business from password sprays with Microsoft DART recommendations | Microsoft Security Blog","og_description":"This blog discusses DART\u2019s investigation techniques and approach to responding to password spray attacks while outlining recommendations for protecting against them.","og_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/26\/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations\/","og_site_name":"Microsoft Security Blog","article_published_time":"2021-10-26T16:00:22+00:00","article_modified_time":"2023-05-24T04:31:47+00:00","og_image":[{"width":1200,"height":900,"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/WIN22_Productivity_121.jpg","type":"image\/jpeg"}],"author":"Microsoft Incident Response","twitter_card":"summary_large_image","twitter_image":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/WIN22_Productivity_121.jpg","twitter_misc":{"Written by":"Microsoft Incident Response","Est. reading time":"11 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/26\/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/26\/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/detection-and-response-team-dart\/","@type":"Person","@name":"Microsoft Incident Response"}],"headline":"Protect your business from password sprays with Microsoft DART recommendations","datePublished":"2021-10-26T16:00:22+00:00","dateModified":"2023-05-24T04:31:47+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/26\/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations\/"},"wordCount":2745,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/26\/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/WIN22_Productivity_121.jpg","inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/26\/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/26\/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations\/","name":"Protect your business from password sprays with Microsoft DART recommendations | Microsoft Security Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/26\/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/26\/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/WIN22_Productivity_121.jpg","datePublished":"2021-10-26T16:00:22+00:00","dateModified":"2023-05-24T04:31:47+00:00","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/26\/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/26\/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/26\/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/WIN22_Productivity_121.jpg","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/WIN22_Productivity_121.jpg","width":1200,"height":900,"caption":"Man sitting at a wooden table typing on a laptop while using Microsoft Teams within Windows 365. Shown on Windows 11."},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/26\/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/"},{"@type":"ListItem","position":2,"name":"Protect your business from password sprays with Microsoft DART recommendations"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization","name":"Microsoft Security Blog","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/"}}]}},"msxcm_display_generated_audio":false,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Security Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/99393"}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/users\/106"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/comments?post=99393"}],"version-history":[{"count":0,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/99393\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media\/99441"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media?parent=99393"}],"wp:term":[{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/content-type?post=99393"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/topic?post=99393"},{"taxonomy":"products","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/products?post=99393"},{"taxonomy":"threat-intelligence","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/threat-intelligence?post=99393"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/tags?post=99393"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/coauthors?post=99393"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}