Password spraying tries a few common passwords (Password1, Summer2024!) against many accounts — avoiding account lockout by staying under the threshold per account.
Defense: MFA (makes sprayed passwords useless), breached password detection, behavioral monitoring (multiple accounts with failed logins from same source), mandatory complex passwords. Spray attacks often succeed because users pick predictable passwords.