{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/brute_force/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Entra ID"],"_cs_severities":["high"],"_cs_tags":["azure","entra_id","credential_access","brute_force"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis alert identifies a surge in failed Microsoft Entra ID sign-in attempts (error code 50053) due to account lockouts, suggesting potential brute-force attacks. Attackers often employ password spraying, credential stuffing, or automated guessing to compromise accounts. This detection uses a threshold-based approach to identify coordinated campaigns targeting multiple users. The Entra ID Smart Lockout feature triggers error code 50053, utilizing IP-based tracking to differentiate between \u0026ldquo;familiar\u0026rdquo; and \u0026ldquo;unfamiliar\u0026rdquo; locations, with lockouts primarily originating from unfamiliar IPs. Successful exploitation can lead to unauthorized access to sensitive data, lateral movement within the network, and potential data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker attempts to gain access to Entra ID accounts using compromised or guessed credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePassword Spraying/Credential Stuffing:\u003c/strong\u003e The attacker performs password spraying attacks by attempting common passwords across multiple accounts, or credential stuffing attacks by using lists of breached credentials obtained from other sources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication Failure:\u003c/strong\u003e The sign-in attempts fail due to incorrect credentials, resulting in authentication failure events in Entra ID sign-in logs.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSmart Lockout Triggered:\u003c/strong\u003e Entra ID\u0026rsquo;s Smart Lockout feature detects the repeated failed sign-in attempts from unfamiliar IPs, triggering account lockouts and generating error code 50053.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccount Lockout:\u003c/strong\u003e The target user accounts are locked out, preventing legitimate users from accessing their accounts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePotential Enumeration:\u003c/strong\u003e Prior to the lockouts, the attacker may perform username enumeration, resulting in error code 50034 (user not found) in the sign-in logs.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMFA Bypass Attempt (if applicable):\u003c/strong\u003e If MFA is not enforced or bypassed, the attacker may attempt to gain access using single-factor authentication.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccount Compromise (if successful):\u003c/strong\u003e If the attacker successfully guesses the password before lockout or bypasses MFA, the account is compromised, allowing unauthorized access to resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful brute-force attack against Entra ID can lead to widespread account compromise. This could result in unauthorized access to sensitive data, business disruption, and potential financial loss. An attacker could leverage compromised accounts to move laterally within the network, escalate privileges, and exfiltrate data. This attack can affect any organization using Microsoft Entra ID for identity and access management.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Entra ID Excessive Account Lockouts Detected\u0026rdquo; to your SIEM to detect high counts of failed sign-in attempts resulting in account lockouts.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rule by pivoting to the raw logs in Discover or Timeline using the provided query and focusing on \u003ccode\u003eevent.dataset: \u0026quot;azure.signinlogs\u0026quot; and azure.signinlogs.properties.status.error_code: 50053\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eBlock suspicious source IPs identified in the investigation using Conditional Access named locations to prevent further brute-force attempts.\u003c/li\u003e\n\u003cli\u003eImplement Conditional Access policies to block legacy authentication protocols like IMAP, SMTP, and POP, which are often targeted in password spraying attacks.\u003c/li\u003e\n\u003cli\u003eReview and enhance Conditional Access policies to ensure comprehensive MFA coverage and prevent MFA bypass attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T18:43:05Z","date_published":"2026-04-22T18:43:05Z","id":"/briefs/2024-01-30-entra-id-lockouts/","summary":"A high volume of failed Microsoft Entra ID sign-in attempts resulting in account lockouts indicates potential brute-force attacks, such as password spraying or credential stuffing, targeting user accounts.","title":"Entra ID Excessive Account Lockouts Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-30-entra-id-lockouts/"}],"language":"en","title":"CraftedSignal Threat Feed — Brute_force","version":"https://jsonfeed.org/version/1.1"}