Browse docs

Features

Identity Signals Against Password Spraying and Credential Attacks

How repeated failed cloud logins can be used as a cautious additional signal, and why NAT, VPNs, and shared IPs require special care.

Last updated: June 26, 2026

On this page

Attacks against identities are among the most common patterns in daily IT operations. Password spraying, credential stuffing, and automated login attempts against cloud accounts generate signals that can also be relevant for a perimeter feed.

Cybora can consider repeated failed cloud logins as an additional signal when the same source appears across multiple independent environments. This signal is valuable, but sensitive. A single failed login is noise; the same source across multiple independent environments can be a campaign pattern.

Why identity signals can be strong

A single failed login is not yet a reliable indicator. Repeated failed attempts from the same infrastructure across multiple customer environments can, however, point to automated attacks.

Typical patterns include:

  • password spraying against many accounts
  • credential stuffing attempts with known leaks
  • login attempts from suspicious infrastructure
  • repeated hits across independent environments

When such signals overlap with other sources or behavior patterns, they can increase the confidence of an indicator.

From single event to campaign pattern

The difference lies in repetition and independence. A failed login in one tenant can have many harmless causes. But if the same source produces similar failed login patterns across multiple independent environments, a local event becomes a stronger signal.

This logic helps separate password spraying and credential stuffing from normal user mistakes. It does not replace collateral-damage assessment, because login sources can often run through NAT, proxies, VPNs, or provider infrastructure.

Why special caution is required

Identity signals carry high collateral-damage risk. An IP may belong to a VPN service, a mobile provider, a large NAT gateway, a proxy, or a legitimate travel connection. Overly aggressive handling could affect real users.

Cybora should therefore treat such signals conservatively:

  • multiple independent environments instead of one-off events
  • repeated behavior instead of a single failed attempt
  • additional evidence from other sources
  • cautious evaluation of VPNs, proxies, and shared IPs
  • no public disclosure of internal thresholds

Role in the feed

Identity signals are one building block in signal correlation, not the sole reason for blocking. They can strengthen an indicator when additional evidence exists. For unclear or collateral-damage-heavy infrastructure, restraint remains more important than maximum coverage.