'%3e%3cpath%20d='M248.027%20159.993C292.176%20159.993%20328.105%20124.1%20328.105%2079.996C328.105%2035.892%20292.191%200%20248.027%200C203.863%200%20167.95%2035.892%20167.95%2079.996C167.949%20124.101%20203.878%20159.993%20248.027%20159.993ZM213.969%2045.973C223.069%2036.882%20235.155%2031.873%20248.027%2031.873C260.899%2031.873%20272.986%2036.882%20282.086%2045.973C291.186%2055.064%20296.2%2067.154%20296.2%2079.997C296.2%2092.84%20291.186%20104.93%20282.086%20114.021C272.986%20123.112%20260.899%20128.12%20248.027%20128.12C235.155%20128.12%20223.069%20123.111%20213.969%20114.021C204.869%20104.93%20199.871%2092.84%20199.871%2079.997C199.871%2067.154%20204.884%2055.063%20213.969%2045.973Z'%20fill='%23EE4323'/%3e%3cpath%20d='M150.16%200L57.6821%20159.993H94.5381L187%200H150.16Z'%20fill='%23EE4323'/%3e%3cpath%20d='M92.478%200L0%20159.993H36.856L129.334%200H92.478Z'%20fill='%23EE4323'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_296_834'%3e%3crect%20width='328.105'%20height='159.993'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
SAT1007
App spraying
Initial Access
Summary
An adversary may attempt to authenticate to a SaaS account by guessing a large number of passwords. However, many apps limit the rate or number of passwords that can be guessed. If you assume a user shares passwords between SaaS apps, the set of passwords to be guessed can be split between all the apps the user has accounts for, circumventing the rate-limits on any one SaaS app.
This can be particularly effective against heavy SaaS users as it allows an adversary to spread the attack across a large number of SaaS apps.