Both involve failed logins. How would you distinguish a brute-force attack from a password spray in your logs?
Short answer
Brute force targets a single account with many password guesses, so you see many failures concentrated on one username. Password spray flips it: one or a few common passwords tried across many accounts, low and slow, so each account sees only a couple of failures. The detection signal is the ratio of accounts to failures and the timing, not raw failure counts.
These two attacks look superficially similar — lots of failed logins — but the shape of the data is opposite, and so is the right detection. Interviewers use this to test whether you reason about attacker intent and detection logic rather than just counting errors.
Brute force: deep on one account
A brute-force attack focuses on a single account and throws many password guesses at it. In the logs you see a high volume of authentication failures all tied to one username, often from one or a few source IPs, in a short window. It is loud and usually trips account-lockout policies quickly, which is both a defense and a denial-of-service risk.
Password spray: wide and shallow
A password spray inverts the strategy. The attacker takes one or a few common passwords (think "Spring2026!") — the kind that top every common password wordlist — and tries them against many accounts, one attempt each, then waits before the next round. Because each account only sees one or two failures, the attack stays under lockout thresholds and evades naive "5 failures = alert" rules. The tell is breadth: many distinct usernames failing with the same password from the same source over time.
What to detect on
For brute force, alert on a high failure count per account. For spray, change the lens: count distinct accounts targeted per source IP in a window, and watch for many accounts each failing a small number of times. On Windows, pivot on event ID 4625 (failed logon) and correlate by source IP and account; a successful 4624 after a spray is the dangerous moment.
Why this matters
MFA blunts both, but detection still matters because a single sprayed success can mean account takeover. Showing you tune detection to the attack's shape — not just failure volume — signals real analytical maturity.
Likely follow-ups
- Why does password spray often evade account-lockout policies?
- Which Windows event IDs would you pivot on for failed authentication?
- How would MFA change the impact of either attack?