Azure AD Successful Brute-Force

View all detections
Azure AD Successful Brute-Force


  • A successful login with suspicious IP Address or User-Agent after frequent failed login attempts.

Possible Root Causes

  • Adoption of weak or reused credentials is common among users and attackers exploit this behavior by repeatedly attempting to login to discovered accounts using leaked or common passwords.
  • Legitimate users who repeatedly mistype their password may trigger this detection
  • Automated systems or services may attempt to continuously login with incorrect credentials.

Business Impact

  • Accounts compromised through brute-force attacks provide attackers a foothold in the enterprise.
  • Attackers who have taken over administrative, executive, or high-value accounts put the enterprise at considerable risk.

Steps to Verify

  • Brute-force attacks that end with a successful login should immediately be investigated for abnormal or threatening behavior.