High Number of Failed Office 365 Logins from Single Source
The analytic detects multiple failed login attempts in Office365 Azure Active Directory from a single source IP address, potentially indicating brute-force or password spraying attacks.
This analytic identifies a high volume of failed login attempts originating from a single source IP address targeting Office 365 accounts. The activity is monitored using Office 365 management activity logs, specifically AzureActiveDirectoryStsLogon records. By aggregating these logs in 5-minute intervals, the analytic counts failed login attempts and triggers when the count exceeds a defined threshold. This behavior is significant as it commonly indicates brute-force attacks or password spraying, which are methods used by attackers to compromise accounts. Successful attacks can lead to data breaches, lateral movement, and further malicious activities. The initial Splunk ES-CU detection was published on 2026-04-17, version 11.
Attack Chain
- The attacker identifies potential target Office 365 accounts.
- The attacker initiates a password spraying or brute-force attack against the identified accounts, using a single source IP address.
- The UserLoginFailed events are logged within the Office 365 management activity logs as AzureActiveDirectoryStsLogon records.
- Splunk ingests the Office 365 management activity events using the Splunk Microsoft Office 365 Add-on.
- The analytic aggregates the failed login attempts by source IP address within 5-minute intervals.
- If the number of failed attempts from a single IP exceeds the defined threshold (e.g., 10), a detection event is triggered.
- The attacker gains unauthorized access to a compromised Office 365 account.
- The attacker uses the compromised account for data exfiltration, lateral movement, or further malicious activities.
Impact
A successful password spraying or brute-force attack can lead to the compromise of Office 365 accounts. This can result in data breaches, unauthorized access to sensitive information, and potential financial loss. The compromise of even a single account can provide attackers with a foothold for lateral movement within the organization, potentially impacting a wider range of systems and data. The CISA alert AA21-008A highlights the risks of password spraying and emphasizes the importance of monitoring for this type of activity.
Recommendation
- Deploy the provided Sigma rule to your SIEM to detect high numbers of login failures from a single source and tune the threshold based on your environment to minimize false positives.
- Enable and monitor Office 365 management activity logs, specifically AzureActiveDirectoryStsLogon records (
o365_management_activity) to ensure the data source for the detection is available. - Investigate any alerts generated by this rule, focusing on the source IP address (
src_ip) and the affected user accounts (user) to determine if the activity is malicious. - Implement multi-factor authentication (MFA) for all Office 365 accounts to mitigate the risk of successful password-based attacks, as referenced in the MITRE ATT&CK technique T1110.001.
Detection coverage 1
Office 365 Failed Login Followed by Successful Login from Same IP
mediumDetects a failed login attempt followed by a successful login from the same IP within a short timeframe, which could indicate a successful password spray attack.
Detection queries are available on the platform. Get full rules →