365 Targeted Users

Alert title: “Targeted Users”

Description: Alerts if a user has excessive failed logins, indicating that the user account may be being targeted.


  • It is possible to ignore users
  • It is possible to set the number of which failed logins trigger an alert
  • It is possible to set the number at which unique failure IP addresses trigger an alert

The problem: This alert is triggered when there is a required (total) volume of failed logins, and/or if there are enough failed logins from unique IP addresses (indicating a wider/broader attack).

Impact: The end-user(s) flagged by this alert may be being targeted.

Suggested steps: Engage a technician to confirm that the alert is accurate. Ensure that the targeted account(s) are secure. The steps required to secure your accounts will vary depending on the neesd of your organisation. At a minimum we suggest Multi Factor Authentication with enforcement, and a strong password if using password authentication).