A security analyst observes repeated failed logon attempts from a single IP address against a domain controller. The account lockout policy is set to 5 attempts within 30 minutes. However, after the account is locked, the attack switches to a different username. Which type of attack is most likely occurring?
Password spraying tries common passwords across many accounts.
Why this answer
This is a password spraying attack because the attacker attempts a small set of common passwords against many usernames, avoiding account lockout by not exceeding the threshold for any single account. The observed behavior—repeated failed attempts from one IP, then switching usernames after lockout—matches the pattern of password spraying, where the attacker tries one or a few passwords across many accounts rather than many passwords against one account.
Exam trap
The trap here is that candidates confuse password spraying with brute-force or dictionary attacks, failing to recognize that the key differentiator is the attacker's strategy of targeting multiple usernames with a few passwords to evade account lockout thresholds.
How to eliminate wrong answers
Option B (Brute-force attack) is wrong because a brute-force attack tries many passwords against a single username, which would quickly trigger the account lockout policy and not involve switching usernames. Option C (Dictionary attack) is wrong because a dictionary attack uses a list of likely passwords against a single account, again focusing on one username and leading to lockout, not switching targets. Option D (Rainbow table attack) is wrong because rainbow tables are used to crack password hashes offline, not for online authentication attempts against a live domain controller.