Petra Security

New Password Spray Campaign Using Residential Proxies

A stealthy password spray campaign is using Virginia-based residential proxies. Here's what we're seeing and how to block it.

Adithya Vellal·July 21, 2025

We previously investigated a widespread, stealthy password spray campaign originating from a data center in Mexico. Now we're tracking a newer variant that's even stealthier.

Campaign Snapshot

First observed: May 30, 2025. The malicious login attempts originate from IP clusters in Ashburn, Virginia.

  • 154.206.240.0/20 (AS3257 GTT Communications Inc.)
  • 154.208.64.0/21 (AS3257 GTT Communications Inc.)
  • 154.208.112.0/21 (AS3257 GTT Communications Inc.)

All requests use an outdated user agent: microsoft office + android 9.0.0 + chrome 110.0.5481.

Chart of password spray campaign activity over time across the tracked IP clusters.
Chart of password spray campaign activity over time across the tracked IP clusters.

How to Block these IP Ranges

The recommendation is to hardcode the malicious IP ranges rather than depending on geolocation for defense.

Quick copy-paste: 154.206.240.0/20,154.208.64.0/21,154.208.112.0/21

The Rise of Residential Proxies

While these IPs aren't flagged as VPNs by most providers, investigation reveals they belong to the SOAX_PROXY network. SOAX aggregates traffic from consumer devices through embedded SDKs, then leases bandwidth to customers. This means:

  • Requests appear from residential or mobile ISPs instead of data centers.
  • IP reputation appears normal.
  • User-agent strings frequently show outdated mobile fingerprints.

Attackers are increasingly using residential proxies to evade detection. This trend stems from massive demand for web scraping to fuel AI models, which has reduced residential proxy costs significantly.

Takeaway: Stealth is the Name of the Game

Residential proxies represent only part of the strategy. This campaign demonstrates careful evasion design:

  • Approximately 90% of targeted users experience fewer than 10 attempts monthly.
  • Most organizations see light, distributed probing (under 50 total users targeted).
  • Individual failures resemble typical typos unless attack patterns are monitored across tenants.

Organizations managing Microsoft 365 environments should block the identified IP ranges and consider adaptive detections to stay ahead of these rapidly evolving attacks.

See what's in your last six months of logs.

Run six months of M365 logs through Petra and get insurance-grade forensics within 48 hours. Five minutes to set up with no sales call.