Suspected brute-force attack and None of the passwords attempted where previously used passwords

Copper Contributor

Suspected brute-force attack (Kerberos, NTLM) and None of the passwords attempted where previously used passwords.


This makes me wonder. It knows it is a password that was not used before. But did the account try to login 100x times with this password or did it do 100x times a try with 100 passwords that where not used before.

If it is the 100 tries with just 1 never used password it is possible just someone who made a typo in a script (password) for example.


If it was 100 different password it is a much bigger issue.


I can not find this the documentation how i should read this. I am also not aware if there is a option to figure this out (kusto query for example).


Anyone a idea?

4 Replies

Seems logic this is 100 attempts with 100 different passwords.
If it was 100 times the same password against the same account, this is probably not considered a brute-force attack... This wouldn't make any sense... If the password doesn't work the first time, no attacker will try the same password 99 times more on the same account.
If it would be a password-spray attack, then an attacker might use the same password against 100 accounts.

Your message also says: "none of the passwordS"...

So it is fair to assume we are talking about a real brute-force attack where an attacker is trying 100 different passwords against the same account.
I would indeed asume this based on the message/event. But then again it does not know if you try different passwords only that it is different than old known passwords. I am sure this acount is not under bruteforce attack.

Sure is worth investigating :lol:
So, I guess this one you already figured out it was a script, or similar, using the wrong password... which for an AI system looks like a brute force attack...
So, this one is benign positive then :smile:


Guess "Suspected" is key in this case....
Microsoft Defender for Identity security alert guide - Microsoft Defender for Identity | Microsoft L...
Microsoft Defender for Identity compromised credentials phase security alerts - Microsoft Defender f...

So, it is based on authentication attempts... but i guess it doesn't compare the hashes. But then again, how would it detect a password spray, or know the password wasn't used.


Probably the underlaying detection algorithms will not be shared for security reasons. So lets just go with what we know:
Get an alert, investigate :lol:


For better clarity, you need to investigate more on various possible indicators of impacted user account. In a recent update, Microsoft is rolling out a new alert for detecting password spray attacks. Utilize the below blog to identify what indicators should be monitored and how to defend against such attacks.