Thousands of login attempts from external IPs

Not really, after all M365 is a public cloud service and the login page is available from anywhere. UPNs themselves can be tried at random (you will not see any attempt for non-existent UPN in the logs), or guesstimated from the email address, etc.
As for blocking them, CA is an easy way, unfortunately it only triggers only after the credentials have been validated. Only Exchange Online allows you to block login attempt on the pre-auth layer, via the so-called Authentication policies: https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online#authentication-policy-procedures-in-exchange-online
That said, most such attempts to leverage the Exchange protocols, so this approach might help in your case. If you need to exert further control, you only option would be to redirect the login process to an external system (on-premises AD FS farm or federation provider), where you can apply restrictions as needed.