Forum Discussion
Suspected brute-force attack and None of the passwords attempted where previously used passwords
Seems logic this is 100 attempts with 100 different passwords.
If it was 100 times the same password against the same account, this is probably not considered a brute-force attack... This wouldn't make any sense... If the password doesn't work the first time, no attacker will try the same password 99 times more on the same account.
If it would be a password-spray attack, then an attacker might use the same password against 100 accounts.
Your message also says: "none of the passwordS"...
So it is fair to assume we are talking about a real brute-force attack where an attacker is trying 100 different passwords against the same account.
Sure is worth investigating
So, I guess this one you already figured out it was a script, or similar, using the wrong password... which for an AI system looks like a brute force attack...
So, this one is benign positive then
Guess "Suspected" is key in this case....
Microsoft Defender for Identity security alert guide - Microsoft Defender for Identity | Microsoft Learn
Microsoft Defender for Identity compromised credentials phase security alerts - Microsoft Defender for Identity | Microsoft LearnSo, it is based on authentication attempts... but i guess it doesn't compare the hashes. But then again, how would it detect a password spray, or know the password wasn't used.
Probably the underlaying detection algorithms will not be shared for security reasons. So lets just go with what we know:
Get an alert, investigate