Massive Spike in Password Attacks Targeting Cisco ASA VPN Followed by Microsoft 365

A dramatic surge in password spray attacks targeting enterprise infrastructure, with Cisco ASA VPN systems experiencing an unprecedented 399% increase in attacks during Q1 2025, while Microsoft 365 authentication services saw a 21% rise in similar attacks.

The alarming statistics reveal a fundamental shift in threat actor tactics, as cybercriminals increasingly pivot from cloud service authentication systems to traditional corporate VPN infrastructure. 

Key Takeaways
1. Cisco ASA VPN attacks spiked 399% and Microsoft 365 attacks rose 21% in Q1 2025.
2. Cybercriminals use common passwords against multiple usernames to bypass account lockouts.
3. Healthcare leads targeted sectors, with the US as primary geographic target.
4. Attackers use distributed networks, making attribution difficult; VPN systems lack robust monitoring.

The research, conducted from October 2024 to March 2025, demonstrates how attackers are adapting their methodologies to exploit vulnerable authentication mechanisms across various platforms.

Password Spray Attacks Targeting Cisco ASA VPNs

Password spray attacks represent a sophisticated brute-force methodology that leverages globally distributed IP addresses through botnets and proxy services, making attribution highly challenging to security teams. 

Unlike traditional brute-force attacks that target single accounts with multiple passwords, password spray attacks use common passwords against numerous usernames, effectively bypassing account lockout mechanisms and detection systems.

According to the latest Trellix Threat Report, a 399% spike in Cisco ASA VPN attacks signals a strategic shift by threat actors toward targeting traditional network infrastructure. 

Security experts attribute this dramatic increase to the relatively limited monitoring capabilities of VPN systems compared to cloud service providers. 

“Cloud service providers like Microsoft 365 offer sophisticated brute force and password spray detection capabilities, while VPN systems may not have such robust monitoring systems,” Terlix report.

Trellix telemetry data indicates that healthcare organizations topped the list of targeted sectors, followed by energy, insurance, retail, and education. 

The geographic distribution shows the United States leading as the primary target, with Canada, Brazil, Australia, and Argentina also experiencing significant attack volumes.

Advanced Tactics, Techniques, and Procedures (TTPs)

The research reveals that these password spray campaigns employ TTPs designed to maximize success while minimizing detection risks. 

Threat actors exploit weak password policies and partial Multi-Factor Authentication (MFA) deployments, particularly targeting organizations with inconsistent security implementations.

The attacks demonstrate a highly targeted approach, with Microsoft 365 authentication attacks showing a 25% reduction in the number of targeted organizations while maintaining a 21% increase in total attack volume. 

This pattern suggests threat actors are conducting reconnaissance to obtain comprehensive username lists for specific organizations, either through data breaches or by inferring usernames through employee enumeration techniques.

The attribution challenge is compounded by the use of distributed attack infrastructure, including compromised systems and commercial proxy services, making it difficult for security teams to trace attacks back to their original sources. 

The report specifically references the Midnight Blizzard threat group’s successful use of password spray techniques to compromise Microsoft’s corporate email accounts, highlighting the effectiveness of these methodologies against high-value targets.

Interestingly, while Cisco ASA VPN and Microsoft 365 systems experienced increases in attack volume, Okta authentication services saw a sharp decrease in targeting. 

Security analysts suggest this shift may indicate either improved defensive measures by Okta or a strategic pivot by threat actors toward platforms with perceived weaker security implementations.

The report emphasizes that these attacks represent a high return on investment for cybercriminals due to their low risk of detection and attribution difficulties. 

Organizations are advised to implement comprehensive MFA deployment, strengthen password policies, enhance monitoring of authentication systems, and deploy advanced brute-force detection capabilities to mitigate these evolving threats.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now