- A successful login with suspicious IP Address or User-Agent after frequent failed login attempts.
Possible Root Causes
- Adoption of weak or reused credentials is common among users and attackers exploit this behavior by repeatedly attempting to login to discovered accounts using leaked or common passwords.
- Legitimate users who repeatedly mistype their password may trigger this detection
- Automated systems or services may attempt to continuously login with incorrect credentials.
- Accounts compromised through brute-force attacks provide attackers a foothold in the enterprise.
- Attackers who have taken over administrative, executive, or high-value accounts put the enterprise at considerable risk.
Steps to Verify
- Brute-force attacks that end with a successful login should immediately be investigated for abnormal or threatening behavior.