Gray Sandstorm (formerly DEV-0343) conducts extensive password spraying emulating a Firefox browser and using IPs hosted on a Tor proxy network. They typically target dozens to hundreds of accounts within an organization, depending on the size, and enumerate each account from dozens to thousands of times. On average, between 150 and 1,000+ unique Tor proxy IP addresses are used in attacks against each organization.
Gray Sandstorm operators typically target two Exchange endpoints – Autodiscover and ActiveSync – as a feature of the enumeration/password spray tool they use. This allows Gray Sandstorm to validate active accounts and passwords, and further refine their password spray activity.