Multiple failed Microsoft Entra sign-ins
Description
AlphaSOC detected multiple failed sign-in attempts for a single Microsoft Entra ID account within a short time window. This detection tracks only interactive sign-ins, filtering out service and application authentication attempts. Repeated authentication failures may indicate a brute force attack where threat actors attempt to guess a user's password through systematic credential testing.
Impact
Sustained brute force attacks against Entra accounts could result in account lockout, disrupting legitimate user access. If an attacker successfully guesses credentials, they gain access to all applications and resources associated with the compromised account. This can lead to data theft, unauthorized access to sensitive systems, and potential lateral movement within the organization's cloud environment.
Severity
| Severity | Condition |
|---|---|
Low | Multiple failed interactive sign-ins for a single account |
Investigation and Remediation
Review the Entra sign-in logs to identify the source IP addresses, user agents, and timing patterns of the failed attempts. Determine whether the activity originates from expected locations or infrastructure. If the activity appears malicious, consider blocking the source IP addresses. Verify that multi-factor authentication is enabled for the account and review subsequent sign-in logs for any successful authentication that may indicate credential compromise.