Brute force attacks lack glamour. They involve no clever exploitation, no zero-days, no carefully crafted payloads. An attacker simply tries credentials repeatedly until something works. For an attack technique that has been understood for decades, brute force has demonstrated remarkable staying power.
Modern Brute Force Looks Different
The cliché image of brute force, hammering a single account with thousands of password attempts, has largely given way to subtler variants. Password spraying tries one or two common passwords against many accounts, avoiding lockouts that would trigger on any single account. Credential stuffing reuses combinations leaked from other breaches.
Common Targets
Public-facing authentication portals attract continuous brute force traffic. Microsoft 365 sign-in endpoints, VPN concentrators, remote desktop gateways, mail servers, and any SaaS application with leaked credentials all see sustained pressure. The attack rate against typical UK businesses runs into thousands of attempts per day, most of them automated.
Expert Commentary
Name: William Fieldhouse
Title: Director of Aardwolf Security Ltd
“Almost every organisation I assess has at least one authentication endpoint without proper rate limiting, often on a legacy service that everyone forgot was still running. The fix is straightforward, but only after the endpoint has been identified.”
Multi-Factor Authentication Helps But Is Not Magic
MFA blocks most simple brute force success cases by requiring something beyond a password. The protection is real, but it has limits. Attacks that bypass MFA through token theft, MFA fatigue prompts, SIM swapping, or social engineering have all featured prominently in recent years.
Account Lockout Versus Rate Limiting
Account lockout policies are a blunt instrument that can be turned against you. An attacker who knows valid usernames can lock out every account in your environment, denying service to legitimate users. Rate limiting, applied per source IP and per account, blocks attacks without producing the same denial-of-service vulnerability.
Visibility Into Brute Force Activity
Authentication logs, ingested into a SIEM and monitored for unusual patterns, catch brute force attempts in progress. Watch for elevated failure rates from single sources, distributed failures across many accounts, successful authentications immediately following bursts of failures.
Practical Hardening
Enforce MFA everywhere, prefer phish-resistant methods for privileged accounts, implement rate limiting on all authentication endpoints, and monitor for the patterns above. Run periodic vulnerability scanning services that includes authentication endpoint testing as part of the standard scope.
