Home
Blog
Identity-investigations
November 21, 2025
6
min read

When Brute Force Still Works: The 80 Billion Credential Problem Nobody's Talking About

Brute force attacks remain a critical threat in 2025, with 80 billion credentials compromised from stealer logs in a single year. Despite modern security controls, credential stuffing attacks succeed because users reuse passwords across services—and threat actors have unprecedented access to breach databases. Security teams struggle to detect these attacks because failed login attempts blend into normal activity, lacking the context to distinguish legitimate user errors from active reconnaissance. In this post, we explore how credential-based attacks exploit password reuse at scale, why traditional security stacks miss these patterns, and what security operations teams can do to investigate and respond effectively. Learn how to correlate authentication logs with breach exposure data, identify high-risk accounts under attack, and implement structured investigation workflows that transform credential threat hunting from manual, time-intensive analysis into standardized, repeatable processes accessible to tier-2+ analysts across your security team.

identity investigations
password spray attacks
social engineering
Eric Hulse
Director of Security Research
In this article
H2 Title
H3 Title

During a recent threat hunting engagement, I was reviewing authentication logs for a mid-sized financial services company when something caught my attention: a steady stream of failed login attempts against specific user accounts. My first thought was almost dismissive—who's still brute forcing passwords in 2025? We have account lockouts. We have password complexity requirements. We have MFA. We have an entire industry of security controls specifically designed to make this attack vector obsolete.

Except it's not obsolete. And that realization led me down a path that every security team needs to understand.

The Numbers That Should Keep You Up at Night

While I was puzzling over these failed logins, the broader cybersecurity community was documenting something far more alarming. Synthient, a threat intelligence firm, aggregated 80 billion credentials from stealer logs in 2025 alone. Read that again—80 billion. In a single day this year, 600 million credentials were released into the wild. Have I Been Pwned identified 183 million unique email addresses, with 16.4 million that had never appeared in any previous data breach.

Check Point reports a 160% year-over-year increase in credential theft incidents, with 20% of all data breaches now attributed to stolen credentials. FortiGuard Labs observed a 500% increase in infostealer attacks in 2024, compromising 1.7 billion credentials. These aren't theoretical risks or fear-mongering statistics—this is the operational reality that threat actors are leveraging right now, at this moment, against your organization.

The Pattern That Changes Everything

Back to those failed logins. I decided to dig deeper into the targeted accounts. What I discovered was both predictable and deeply concerning: every single user being targeted appeared in multiple password breach databases. Not just one breach—multiple breaches. These weren't sophisticated, zero-day exploitation attempts. These were attacks based on a simple bet: that people reuse passwords.

And here's the uncomfortable truth: they were right to bet on that.

The attack pattern is straightforward. Threat actors harvest credentials from stealer logs, phishing campaigns, and data breaches. They aggregate these into massive databases. Then they systematically attempt to authenticate against corporate systems using known email addresses paired with previously compromised passwords. When I first entered the security field working for government agencies doing information warfare and red teaming, we had to work much harder for initial access. Today's attackers often don't need to be particularly sophisticated—they just need to be persistent and well-resourced in terms of credential data.

The Trial Signup Nobody Thinks About

The fundamental challenge lies in how we've normalized giving away our corporate email addresses. An engineer signs up for a free trial of a development tool. A marketing manager creates an account on a new analytics platform. A sales rep registers for an industry webinar. Each time, they use their company email address—and often, they reuse a password they've used elsewhere because it's convenient and "it's just a trial."

What happens when that SaaS startup gets breached? Or when malware steals credentials from that engineer's personal laptop where they also checked their work email? Those credentials flow into the criminal ecosystem, get aggregated with millions of others, and become ammunition for attacks against your organization.

This is where the gap between security expectations and operational reality becomes dangerous. The expectation is that users will maintain unique, complex passwords for every service. The reality is that password fatigue is real, password managers aren't universally adopted, and even security-aware users make tradeoffs between security and productivity.

Why Your Security Stack Misses This

During my years defending networks at tier-3 operations, I learned that most security tools are optimized for detecting novel attacks or known-bad indicators. Your SIEM alerts on successful logins from unusual locations. Your EDR flags malicious processes. Your identity provider (IdP) might notice when someone logs in from two continents in an hour.

But a steady stream of failed login attempts? Especially when they're distributed across multiple accounts and spaced to avoid simple rate-limiting? Those often blend into the noise. After all, users forget passwords. They mistype. Failed logins are normal.

The critical distinction is intent. When you can correlate those failed login attempts with the fact that every targeted user appears in recent credential breaches, you're no longer looking at forgetful users—you're looking at reconnaissance and active exploitation attempts. The attacker is validating which compromised credentials still work, testing the boundaries of your lockout policies, and identifying accounts that might be vulnerable to credential stuffing.

Smaller organizations are particularly vulnerable here. They may not have implemented account lockout policies. Password complexity requirements might be minimal or nonexistent. MFA adoption might be partial at best. When I tell people that brute forcing still works in 2025, the reaction is usually disbelief—until I show them the logs.

The Context Problem

The fundamental issue isn't that we lack data about failed logins—authentication logs capture these events. The problem is context. Without the ability to quickly correlate failed login attempts with breach data, security teams are left making educated guesses about whether they're seeing a real threat or just noise.

What took me several hours of manual correlation during that threat hunting engagement—pulling authentication logs, cross-referencing usernames against breach databases, identifying patterns—revealed the core challenge facing security operations teams. You need to move from reactive alert triage to proactive threat hunting, and that requires connecting disparate data sources in ways that most security stacks simply aren't built to handle.

The capability gap is clear: security teams need to identify which users are actively being targeted based on their exposure in the criminal credential ecosystem, correlate that with authentication behavior, and respond before successful compromise occurs.

Structured Investigation of Credential Attacks

This is where the methodology matters. Remember those several hours I spent manually correlating authentication logs with breach data? That investigation required pulling logs from multiple systems, writing custom queries in different languages, cross-referencing results, and building context piece by piece. It worked, but it wasn't scalable, and it certainly wasn't something every analyst on the team could replicate consistently.

Command Zero transforms this manual investigation process into a structured workflow through hunting questions and facets. Instead of starting from scratch each time, analysts can leverage pre-built investigations that capture the institutional knowledge of how to hunt for credential-based attacks effectively.

Hunting Questions That Drive Investigation

The platform provides hunting questions tailored to specific credential attack patterns across different identity providers. For Microsoft Entra environments, analysts can quickly investigate:

- What users were locked out by Microsoft Entra smart lockout?
- What login attempts indicate a potential brute force attack?
- What users have failed a multifactor authentication (MFA) challenge in Microsoft Entra ID?
- What are the top 100 accounts with the most unique IP addresses in login failed attempts?
- What failed login attempts occurred in the last 7 days?

For organizations using Okta, similar questions enable rapid assessment:

- What Okta users were locked out due to failed sign-in attempts?
- What users have failed an Okta multifactor authentication (MFA) challenge?

These aren't just pre-written queries—they're investigative starting points that any tier-2+ analyst can execute, regardless of their familiarity with the underlying query languages or log structures. The question "What are the top 100 accounts with the most unique IP addresses in login failed attempts?" immediately surfaces the pattern I discovered manually: accounts being targeted from multiple sources, which is a hallmark of credential stuffing attacks.

Facets: Standardizing the Investigation Process

What makes this approach particularly powerful is the use of facets for standardized investigations. A facet represents a complete investigation pathway that can be applied consistently across incidents. For example:

Entra - Password Spray - IP Address: This facet structures the investigation around identifying password spray attempts targeting multiple accounts from a specific IP address. Once you've identified a suspicious IP in your initial hunting, this facet walks through examining all authentication attempts from that source, identifying targeted accounts, and correlating with breach exposure.

Okta - User Account Lockout - User Login: When a user gets locked out, this facet guides the investigation through authentication history, failed attempt patterns, source IPs, and whether the lockout appears to be legitimate user error or malicious activity.

Okta - Password Spray - IP Address: Similar to the Entra version, but tailored to Okta's log structure and authentication model, ensuring that the investigation accounts for platform-specific behaviors and indicators.

Customization and Environmental Specificity

Here's what I particularly value about the facet approach: each one can be expanded to cover the specifics of your environment. A financial services organization might extend the "Password Spray" facet to include correlation with their fraud detection systems. A healthcare provider might add checks against their patient access logs. A manufacturing company might integrate with their OT network monitoring.

The base facet provides the investigation framework—the questions you need to answer, the data sources you need to check, the patterns you need to identify. But it's adaptable to your organizational context, your risk profile, and your detection priorities. You're not locked into a one-size-fits-all approach, but you're also not starting from a blank slate every time.

The Analyst Empowerment Outcome

This standardization fundamentally changes how security teams operate. When I was doing tier-3 network operations, the gap between what senior analysts could investigate and what junior analysts could handle was enormous. Senior folks had years of experience knowing which logs to check, what patterns to look for, and how to correlate seemingly unrelated events. Junior analysts had to escalate constantly or risk missing critical connections.

Command Zero's hunting questions and facets capture that senior analyst knowledge and make it accessible to the entire team. A tier-2 analyst investigating their first potential password spray attack can follow the same structured investigation pathway that a senior threat hunter would take—but in minutes instead of hours. They're asking the right questions, checking the right data sources, and building context systematically.

More importantly, when that analyst discovers something novel during the investigation—a new attack pattern, an unexpected data correlation, a useful contextual check—that knowledge can be captured and added to the facet. The institutional learning compounds. You're not just solving today's incident; you're improving your team's capability for every future investigation.

The Operational Impact

Consider the practical outcomes when security teams can make these connections. When that financial services customer I mentioned earlier understood the correlation between failed logins and breach exposure, their response shifted immediately. Instead of treating each failed login as an isolated event, they could:

- Identify high-risk accounts that needed immediate password resets and MFA enforcement
- Prioritize security awareness training for users whose credentials appeared in multiple breaches
- Implement targeted monitoring for successful logins following failed attempts on breach-exposed accounts
- Develop custom detection logic for credential stuffing patterns specific to their environment

One customer reported that after identifying accounts appearing in breach databases, they forced password resets for 400+ users who had been using compromised credentials. Within 72 hours, they observed a 90% reduction in failed login attempts against those accounts. The threat actors moved on to easier targets—which is exactly what you want.

The Broader Credential Challenge

This isn't just about failed login attempts. The scale of credential theft we're seeing—80 billion credentials aggregated, 600 million released in a single day—creates a persistent threat that extends far beyond individual password reuse. We're dealing with:

Account Takeover at Scale: Automated credential stuffing tools can test thousands of username/password combinations across hundreds of services simultaneously. When even 1% of tested credentials work, that's thousands of successful compromises.

Lateral Movement Enablement: Once inside your environment, attackers use stolen credentials to move between systems, escalate privileges, and access sensitive data—all while appearing as legitimate users in your logs.

Third-Party Risk Amplification: Your security posture is only as strong as your weakest third-party integration. When a vendor gets breached and your users have reused passwords, you inherit that vendor's security failure.

Moving Beyond Password Theater

The uncomfortable reality is that traditional password-based authentication is fundamentally broken when facing this volume of compromised credentials. MFA helps, but as the ID Dataweb research notes, 79% of business email compromise victims had MFA enabled—attackers have adapted with push-bombing, social engineering, and token theft techniques.

What we need is a shift in how we think about identity verification. It's not enough to validate that someone knows a password—we need to understand the full context of each authentication attempt. Is this login consistent with the user's normal behavior? Is the account known to be exposed in recent breaches? Are we seeing failed attempts before this successful login?

Security teams need investigation capabilities that enable them to build these contextual investigations into their workflow. Instead of waiting for an incident to investigate whether compromised credentials played a role, analysts should be able to proactively hunt for indicators of credential-based attacks as part of their daily operations.

Your Action Plan

If you're responsible for security operations, here's what you need to do immediately:

Identify Your Exposure: Cross-reference your user base against known breach databases. Services like Have I Been Pwned provide organizational domain searches. The results will likely be sobering—expect a significant percentage of your users to appear in at least one breach.

Correlate with Authentication Logs: Look for patterns of failed login attempts against breach-exposed accounts. This isn't just about volume—look for temporal clustering, consistent timing patterns, or attempts against multiple exposed accounts in sequence.

Implement Targeted Controls: Not every user faces the same risk. Prioritize MFA enforcement and password resets for accounts that appear in multiple breaches or have administrative privileges. Consider implementing additional authentication requirements for high-risk accounts.

Build Detection Capabilities: Develop detection logic that correlates authentication events with breach exposure data. This needs to be automated and continuous—threat actors don't work business hours.

Address the Root Cause: Education about password reuse needs to be specific and ongoing. Show users their own breach exposure. Provide password managers and make them easy to use. Remove friction from secure behaviors.

The Strategic Reality

As we continue to see credential theft scale to unprecedented levels, the gap between "this shouldn't work" and "this absolutely works" is a vulnerability that threat actors will continue to exploit. The sophistication of attacks isn't always increasing—what's increasing is the volume of compromised credentials available to attackers and their willingness to simply try the obvious approach.

During my time as a contractor doing red teaming and penetration testing, the joke was that social engineering and password reuse were "easy mode." Two decades later, they're still easy mode—but the stakes are dramatically higher and the scale is vastly larger.

The good news is that credential-based attacks leave evidence. Failed logins are logged. Authentication patterns can be analyzed. Breach exposure can be identified. What's needed is the capability to connect these data points into actionable intelligence that empowers your security team to identify and respond to threats before they become incidents.

That financial services customer I started this article discussing? They're no longer wondering why they're seeing failed logins. They understand that those failed attempts represent active threat actor reconnaissance against their organization. They have the investigative capabilities to respond appropriately. And they've built credential exposure analysis into their routine threat hunting workflow.

Your organization deserves the same capability. Because in a world with 80 billion compromised credentials, the question isn't whether your users appear in breach databases—it's whether you know which ones do and what you're doing about it.

Eric Hulse
Director of Security Research

Continue reading

Identity-investigations
Highlight

Investigating Microsoft 365 Direct Send Abuse: When Convenience Becomes a Vulnerability

Microsoft 365 Exchange Online's Direct Send feature has become a critical vulnerability exploited by threat actors for phishing and business email compromise campaigns. This legitimate operational feature bypasses standard email authentication protocols (DKIM, SPF, DMARC), enabling adversaries to send spoofed messages that appear to originate from trusted internal sources. The primary challenge isn't detection—it's investigation complexity. Security operations teams face extensive context switching across Office 365, identity providers, EDR systems, and network infrastructure, often requiring 90+ minutes per incident. Traditional SIEM platforms struggle with these cross-system investigations, particularly for analysts lacking specialized Exchange Online expertise. Command Zero's Custom Questions feature transforms Direct Send investigations from hours to minutes by codifying expert investigative knowledge into automated workflows. This approach enables tier-2 analysts to conduct comprehensive investigations spanning email routing, identity context, and endpoint telemetry without manual correlation—turning investigation bottlenecks into organizational strengths while building institutional knowledge for long-term security resilience.
Eric Hulse
Oct 29, 2025
min read
Identity-investigations
Highlight

Investigating Business Email Compromise: How Modern Attacks Exploit Trust in 2025

Business Email Compromise (BEC) attacks in 2025 have evolved into sophisticated campaigns that exploit Microsoft 365 collaboration tools and organizational trust relationships. Modern attackers use OAuth application abuse, mail flow manipulation, and SharePoint phishing to bypass MFA and establish persistent access. Traditional SOC investigations struggle with fragmented data sources across Microsoft Entra ID, Exchange Online, and SharePoint—requiring complex KQL queries and Graph API expertise that delays incident response. Command Zero's investigation framework solves this by providing pre-built questions that automatically query relevant data sources and map to BEC attack patterns. This approach enables tier-2 analysts to investigate at specialist level without memorizing API endpoints or query languages. Combined with defensive controls like disabling user OAuth consent, implementing phishing-resistant MFA, and monitoring suspicious mail flow patterns, organizations can transform their BEC response from reactive firefighting to proactive threat hunting.
Eric Hulse
Oct 22, 2025
8
min read
Identity-investigations
Highlight

Shadow Identities: The Common Attack Target You Can't See

Shadow identities represent a critical security blind spot, with 80% of enterprise SaaS logins invisible to IT and security teams. Unlike shadow IT, which focuses on unauthorized applications, shadow identities are unmanaged user accounts, service principals, OAuth tokens, and API keys that exist outside your identity provider. These hidden credentials create three major risks: security blind spots from unmonitored authentication, compliance violations from untracked data access, and forensic black holes during incident investigations. Security teams need systematic discovery of application registrations, service principals, personal access tokens, and third-party integrations across their infrastructure. Command Zero provides the visibility and investigation capabilities to identify shadow identities across Microsoft Entra, Okta, GitHub, AWS, and other systems, enabling rapid correlation of identity activity during security incidents when response time is critical.
Eric Hulse
Oct 16, 2025
7
min read
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept All