The rule "Attempts to crack distributed passwords in AzureAD" is always detected with the same user.

Occasional Contributor

Hi everyone,


I don't know if anyone has had this problem. My problem is that when this rule is detected the same user is always triggered when trying to connect to the "Office 365 Exchange Online" application from a mobile phone and the client application "Exchange ActiveSync".
This rule monitors high login attempts from different locations over a period of time of 1 day.
We know that this is a false positive, as this is a field technician, and we have checked with the user to verify these actions.
As a solution, we have taken the following actions to prevent the alert from being triggered:

-Logging out of the application login and logging back in.


But the problem persists, I don't know what else to do or what other mitigations I can see with the user.

I have looked at the login table and only see that the error is thrown when connecting to the "Office 365 Exchange Online" application.

Any ideas?



1 Reply

@Chris_321, I see its been few months already for your question. Have you resolved this issue? 

I am also facing this issue. I see that few specific users only this rule is firing up every day. Its strange that its only for specific users and not random or multiple users