Back to GSO Recommendations

Excessive Authentication Failures

Why this risk matters

A high volume of failed authentication attempts against one or more accounts is one of the oldest and most reliable indicators of an active credential attack. Brute force attacks target a single account with many password guesses; password spray attacks try a small number of common passwords across a large number of accounts. Both techniques generate a pattern of repeated authentication failures that, if left undetected, can eventually result in account compromise.

Modern Microsoft 365 environments have some built-in protections like smart lockout, but these don't always fire quickly enough, can be circumvented by distributed attacks using many source IPs, and don't cover legacy authentication protocols that don't support modern lockout mechanisms. Detecting the failure pattern early — before a successful login — is the best opportunity to intervene.

What happens if this is abused

If the authentication failures represent an active password spray or brute force attack, a successful login is the immediate risk. Once in, the attacker typically moves quickly: they assess the account's access, establish persistence via inbox rules or OAuth app consent, and begin exfiltration or lateral movement before the compromise is detected.

Password spray attacks are particularly dangerous for organisations using weak or default passwords, shared credentials, or accounts where MFA is not enforced. A single successful login from a spray campaign can give access to email, files, internal applications, and potentially admin portals — depending on the account's privileges.

Repeated failures from the same source IP may also indicate an automated tool performing reconnaissance before a targeted attack.

When this is expected or acceptable

Some authentication failure spikes are caused by configuration issues rather than attacks:

  • A user who has recently changed their password and has old credentials cached in a mail client, mobile device, or legacy application — these generate rapid failures until the cached credentials are cleared
  • A service account with a hardcoded password that has expired
  • A misconfigured application attempting to authenticate repeatedly with incorrect credentials
  • A user locked out and repeatedly attempting to sign in with the wrong password

The key differentiator is whether the failures originate from a known, expected source (a specific device or application the user owns) or from an external IP, multiple IPs, or an unfamiliar location.

Checks to perform before taking action

  • In Entra ID sign-in logs, filter by the affected user(s) and look at the source IPs of the failed attempts — are they from known locations, or external/anonymising infrastructure?
  • Check whether the failures are against a single account (brute force) or spread across many accounts (password spray)
  • Look at whether the failed attempts involve modern authentication or legacy protocols (basic auth, SMTP, POP3, IMAP) — legacy protocol attacks bypass MFA
  • Assess whether any of the attempts were followed by a successful login — if yes, treat this as active compromise immediately
  • Check the timing pattern — a uniform interval between attempts suggests automation; human-paced failures are typically a user with cached credentials
  • Contact the user via phone if the pattern looks suspicious — do not rely on email if the account may be under active attack

Safe remediation steps

  1. If the failures originate from external IPs or unknown locations, block the source IP ranges in Entra ID or your firewall if identifiable and persistent
  2. If any successful login followed the failure cluster, treat the account as compromised: revoke all sessions, reset the password via a secure channel, and re-enrol MFA
  3. If no successful login yet, consider temporarily blocking sign-in for the targeted account(s) while the attack is ongoing, then re-enable once mitigations are in place
  4. For accounts targeted via legacy authentication, block legacy auth protocols in Conditional Access — create a policy that blocks Basic Auth for the affected user or globally if not already in place
  5. Check whether the targeted accounts have MFA enabled — if not, enable it immediately
  6. Review smart lockout settings in Entra ID to ensure they are appropriately configured for your environment
  7. If this is a broad password spray across many accounts, assess whether a password policy review or forced password reset is appropriate

Overe Auto-Response: The Excessive Authentication Failures alert can be configured in Overe to trigger automatic session revocation or account block when sustained failure volumes are detected. Review your Auto-Response settings under Org Config > Auto-Response to set an appropriate automated response threshold for your environment.

Supporting documentation

Microsoft: Entra ID smart lockout to prevent brute force attacks

Microsoft: Block legacy authentication with Conditional Access

Microsoft: Attack simulation training in Defender for Office 365

Related risks and follow-on checks

After investigating excessive authentication failures, review these related risk areas:

  • Legacy Authentication Exposure — if attacks are targeting legacy protocols, review and block these across the organisation
  • Users with Risky MFA Settings — accounts targeted by spray attacks are at much higher risk if MFA is weak or missing
  • CA MFA Bypass Paths — ensure there are no Conditional Access gaps that would allow a successful login to bypass MFA
  • Session Hijack via Unusual IP Change — if a successful login follows the failures, check for subsequent session anomalies
  • Dormant Users — dormant accounts are common targets for password spray because they're less likely to be monitored
TBD CTA