Login failed with Sign-in was blocked because it came from an IP address with malicious activity

c___b 

Not an authorative answer, just an observation based on 30 Tenants. We see these messages coming from all over the world (Asia seems prevalent), targeting our users with IMAP4 calls, some are bulk and block the account, some come from suspect IPs (MS machine learning we assume) and some just try 3 times per hour (to prevent blocking the account we assume). These are all Failures (we also monitor successful Logins are only from locations we expect). To block these Fails we advise to enable MFA. For those tenants that refuse to have MFA enabled (yes it happens) we disabled Basic authentication (iMap4 and Pop3 mainly) though [Set-OrganizationConfig -DefaultAuthenticationPolicy] to stop these password guessing attempts. We also did this for Tenants who are not (yet) being targeted. For new Tenants we don't give a choice anymore, MFA is included.