Excessive Authentication Failures

Why this risk matters

A high volume of failed authentication attempts against one or more accounts is one of the oldest and most reliable indicators of an active credential attack. Brute force attacks target a single account with many password guesses; password spray attacks try a small number of common passwords across a large number of accounts. Both techniques generate a pattern of repeated authentication failures that, if left undetected, can eventually result in account compromise.

Modern Microsoft 365 environments have some built-in protections like smart lockout, but these don't always fire quickly enough, can be circumvented by distributed attacks using many source IPs, and don't cover legacy authentication protocols that don't support modern lockout mechanisms. Detecting the failure pattern early — before a successful login — is the best opportunity to intervene.

What happens if this is abused

  • Password spray tries one or two common passwords against hundreds of accounts, staying below smart lockout thresholds while systematically working through the user list
  • Successful login following the failure cluster gives the attacker access to email, files, Teams, and all applications accessible to the compromised account
  • Attack via legacy protocols — IMAP or Exchange ActiveSync — bypasses MFA entirely; a successful attempt grants full mailbox access without any authentication challenge
  • Distributed spray using many source IPs evades IP-based blocking, appearing as isolated individual sign-in failures rather than a coordinated campaign
  • Account enumeration via authentication response differences used to map valid usernames before launching a more targeted credential attack
  • Once inside, attacker immediately establishes persistence via inbox rules or OAuth app consent before the failure cluster triggers any investigation
  • Repeated failures against admin accounts are particularly high-risk — a single successful admin login bypasses all access controls applied to standard users
  • Sustained low-rate spray continues undetected for days or weeks, making it difficult to identify the exact point of compromise retrospectively

When this is expected or acceptable

Some authentication failure spikes are caused by configuration issues rather than attacks:

  • A user who has recently changed their password and has old credentials cached in a mail client, mobile device, or legacy application — these generate rapid failures until the cached credentials are cleared
  • A service account with a hardcoded password that has expired
  • A misconfigured application attempting to authenticate repeatedly with incorrect credentials
  • A user locked out and repeatedly attempting to sign in with the wrong password

The key differentiator is whether the failures originate from a known, expected source (a specific device or application the user owns) or from an external IP, multiple IPs, or an unfamiliar location.

Checks to perform before taking action

  • In Entra ID sign-in logs, filter by the affected user(s) and look at the source IPs of the failed attempts — are they from known locations, or external/anonymising infrastructure?
  • Check whether the failures are against a single account (brute force) or spread across many accounts (password spray)
  • Look at whether the failed attempts involve modern authentication or legacy protocols (basic auth, SMTP, POP3, IMAP) — legacy protocol attacks bypass MFA
  • Assess whether any of the attempts were followed by a successful login — if yes, treat this as active compromise immediately
  • Check the timing pattern — a uniform interval between attempts suggests automation; human-paced failures are typically a user with cached credentials
  • Contact the user via phone if the pattern looks suspicious — do not rely on email if the account may be under active attack

Safe remediation steps

  1. If the failures originate from external IPs or unknown locations, block the source IP ranges in Entra ID or your firewall if identifiable and persistent
  2. If any successful login followed the failure cluster, treat the account as compromised: revoke all sessions, reset the password via a secure channel, and re-enrol MFA
  3. If no successful login yet, consider temporarily blocking sign-in for the targeted account(s) while the attack is ongoing, then re-enable once mitigations are in place
  4. For accounts targeted via legacy authentication, block legacy auth protocols in Conditional Access — create a policy that blocks Basic Auth for the affected user or globally if not already in place
  5. Check whether the targeted accounts have MFA enabled — if not, enable it immediately
  6. Review smart lockout settings in Entra ID to ensure they are appropriately configured for your environment
  7. If this is a broad password spray across many accounts, assess whether a password policy review or forced password reset is appropriate

Overe Auto-Response: The Excessive Authentication Failures alert can be configured in Overe to trigger automatic session revocation or account block when sustained failure volumes are detected. Review your Auto-Response settings under Org Config > Auto-Response to set an appropriate automated response threshold for your environment.

How Overe Helps

Overe actively monitors and remediates this risk area. The following controls can be deployed and tracked in app.overe.io:

  • Block High-Risk Sign-Ins — Creates a Conditional Access Policy that blocks any sign-in categorized as 'High Risk'.
  • Block High-Risk Users — Creates a Conditional Access Policy that prevents any user categorized as 'High Risk' from signing in.
  • Require MFA for all users — Creates a Conditional Access Policy that grants access only to users who complete MFA.
  • Enable Unified Log — Manages the Audit Log which records user and admin activity and is required for Overe to monitor and detect anomalous activity.

Related risks and follow-on checks

After investigating excessive authentication failures, review these related risk areas:

Free Microsoft 365 assessment

Check this risk in your own tenant

This recommendation explains what should be configured. Overe shows you where the gaps actually exist.

Find risky users, devices, apps, policies and tenant settings in minutes.

No agents. No heavy setup. Clear results in minutes.