Azure AD Successful Brute-Force
Detection overview
Triggers
- A successful login with suspicious IP Address or User-Agent after frequent failed login attempts.
Possible Root Causes
- Adoption of weak or reused credentials is common among users and attackers exploit this behavior by repeatedly attempting to login to discovered accounts using leaked or common passwords.
- Legitimate users who repeatedly mistype their password may trigger this detection
- Automated systems or services may attempt to continuously login with incorrect credentials.
Business Impact
- Accounts compromised through brute-force attacks provide attackers a foothold in the enterprise.
- Attackers who have taken over administrative, executive, or high-value accounts put the enterprise at considerable risk.
Steps to Verify
- Brute-force attacks that end with a successful login should immediately be investigated for abnormal or threatening behavior.
Azure AD Successful Brute-Force
Possible root causes
Malicious Detection
Benign Detection
Azure AD Successful Brute-Force
Example scenarios
Azure AD Successful Brute-Force
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Azure AD Successful Brute-Force
Steps to investigate
Azure AD Successful Brute-Force
Related detections
No items found.