Most people picture a hacker hammering away at one login screen, guessing password after password. That’s not how it usually goes anymore.
While running routine threat hunting on a client’s Sophos Firewall logs, our SOC team caught something different: a wave of failed login attempts hitting the VPN portal from IP addresses scattered across Egypt, India, Ireland, and the US — each one trying a different, random username. No single account was being hammered. Instead, attackers were working through a huge list of usernames, trying one password (or a small handful) against each before moving to the next.
That’s password spraying, and it’s built to slip past the defenses that stop old-school brute force. Lock an account after five failed logins? Spraying never fails five times on the same account — it just moves on. Rate-limit one IP? The traffic is already spread across dozens of them.
What the logs showed:
- Failed authentication attempts against the VPN portal, seconds apart, from random usernames
- Source IPs previously flagged over 100 times for brute-force and unauthorized SSL VPN activity
- No successful logins during the observed campaign
One of the source IPs flagged in this campaign had already been reported over 100 times across nearly two dozen threat intelligence sources for brute-force and unauthorized SSL VPN login attempts — a known repeat offender, not a one-off.
Why it didn’t get further
The portal was protected by MFA — so even a correctly guessed password wouldn’t have been enough to get in. That single control was the difference between “attempted” and “breached.”
What happened next
The response didn’t stop at watching the logs. The team tightened remote access itself: VPN access was pulled off the open internet and restricted to trusted networks only, cutting off the attack surface the spray was aimed at in the first place. Geo-based access rules were also evaluated — though the team was candid that geo-blocking alone offers limited protection, since attackers routinely route through servers anywhere in the world.
The takeaway for every organisation running a VPN portal:
- MFA isn’t optional. It’s the control that actually stops credential-based attacks from becoming breaches.
- Don’t expose more than you need to. If your VPN portal doesn’t need to face the open internet, it shouldn’t.
- Watch the pattern, not just the failure count. One failed login means nothing. Hundreds of failed logins across random usernames and scattered IPs is a campaign — and it needs threat hunting eyes to catch it, not just an alert threshold.
Password spraying is quiet, patient, and built to blend in. Catching it takes visibility into your authentication logs — and knowing what a coordinated attack looks like versus normal login noise.
Want to know if your VPN portal is exposed the same way? Reach out to our team at enquiry@internetnow.com.my or chat with us directly via WhatsApp at (+6016-2620 853).



