Microsoft SQL password-guessing attacks rising as hackers pivot from OneNote vectors

Microsoft SQL: The Microsoft logo against a white background out of focus, with the silhouette of a hand holding a padlock to the left of frame in focus.
(Image credit: Getty Images)

Malware attacks using Microsoft SQL (MSSQL) Server as an intrusion vector have risen sharply in the last six months, as experts report hackers moving away from blocked methods.

Researchers at cyber security firm ESET revealed the absolute count of MSSQL attacks increased by 84% between H2 2022 and H1 2023. 

The rise in attacks utilizing the vector was linked to Microsoft’s landmark move to block Virtual Basic for Applications (VBA) macros in Office documents by default last year.

Cyber security professionals had been calling for stricter default controls for VBA macros for years before Microsoft finally implemented the changes.

Exploiting VBA macros in Office documents was historically one of the most popular methods of embedding malware in seemingly innocuous files which were downloaded as part of phishing campaigns.

Shortly after this avenue of attack was blocked off, researchers recorded a clear rise in the number of attacks using OneNote as a vector instead. 

Cyber criminals behind malware such as Emotet exploited .one files to trick users into running malicious scripts, moving on from their own abuse of VBA macros.

In its report, ESET said Microsoft’s blocking of VBA macros and its efforts to shore up the security of OneNote means that “cyber criminals may be looking at MSSQL and other intrusion vectors more closely” for the future.

MSSQL is a widely-used solution for regional database management, and when exposed to the internet can be a tempting target for hackers. 


Whitepaper from Mimecast about cyber risk as business risk

(Image credit: Mimecast)

The board's evolving perceptions of cyber risk

78 global CISOs share their advice on how to communicate cyber risk as business risk to C-suite peers and their board.


Internet-accessible MSSQL servers can be accessed via port 1433, which leaves the door open for ‘brute force’ password-guessing attempts by threat actors.

ESET noted that firms with weak passwords or improperly-managed servers are at particular risk, and cited an AhnLab report from April which examined a case of ransomware installed on MSSQL servers as a result of easily-guessed credentials.

In all, telemetry data showed 1.7 billion failed password-guessing attempts against MSSQL between December 2022 and May 2023.

Even as threat actors have increased attacks against MSSQL, researchers noted reduced brute-force attempts on other commonly-used attack vectors. 

Attacks on Remote Desktop Protocol (RDP), which allows users to view and control desktops remotely and has been exploited for malware such as RDStealer, fell 22% from 17.9 billion to 15.8 billion across the period.

Brute-force attacks are among the top password-cracking techniques hackers use, and rely on businesses to employ poor strategies around their credentials such as allowing employees to re-use passwords or not enforcing complexity controls.

“With the rise of brute-force attacks against MSSQL, database admins should be reminded of the security benefits of Windows Authentication mode over mixed mode when setting up the database engine,” said Ladislav Janko, senior detection engineer at ESET.

“In Windows Authentication mode, SQL Server Authentication is disabled, compelling database users to connect through their Windows user account, which can be protected with an account lockout policy that effectively stops brute force attacks from progressing.

“If you can’t avoid using mixed mode, make sure passwords are strong and put the database behind a firewall or VPN, if possible.”

Rory Bathgate
Features and Multimedia Editor

Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.

In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at or on LinkedIn.