Microsoft Entra ID Excessive Account Lockouts Detected

Identifies a high count of failed Microsoft Entra ID sign-in attempts as the result of the target user account being locked out. Adversaries may attempt to brute-force user accounts by repeatedly trying to authenticate with incorrect credentials, leading to account lockouts by Entra ID Smart Lockout policies.

Rule type: threshold
Rule indices:

• filebeat-*
• logs-azure.signinlogs-*

Rule Severity: high
Risk Score: 73
Runs every: 30m
Searches indices from: now-60m
Maximum alerts per execution: ?
References:

• https://www.microsoft.com/en-us/security/blog/2025/05/27/new-russia-affiliated-actor-void-blizzard-targets-critical-sectors-for-espionage/
• https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying
• https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-password-spray
• https://www.sprocketsecurity.com/blog/exploring-modern-password-spraying
• https://learn.microsoft.com/en-us/purview/audit-log-detailed-properties
• https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes
• https://github.com/0xZDH/Omnispray
• https://github.com/0xZDH/o365spray

Tags:

• Domain: Cloud
• Domain: Identity
• Data Source: Azure
• Data Source: Entra ID
• Data Source: Entra ID Sign-in Logs
• Use Case: Identity and Access Audit
• Use Case: Threat Detection
• Tactic: Credential Access
• Resources: Investigation Guide

Version: ?
Rule authors:

• Elastic

Rule license: Elastic License v2

This rule detects a high number of sign-in failures due to account lockouts (error code 50053) in Microsoft Entra ID sign-in logs. These lockouts are typically caused by repeated authentication failures, often as a result of brute-force tactics such as password spraying, credential stuffing, or automated guessing. This detection is time-bucketed and aggregates attempts to identify bursts or coordinated campaigns targeting multiple users.

Please note this is as threshold rule that aggregates multiple account lockouts over a specified time window. To properly investigate, pivot into the individual sign-in log events that contributed to the threshold being met.

• Review users impacted by pivoting searching for user.name in events where azure.signinlogs.properties.status.error_code is 50053.
• Analyze source addresses associated with these lockouts. Identify whether the activity originated from known malicious infrastructure (e.g., VPNs, botnets, or public cloud providers).
• Inspect the user-agents involved in these account lockouts. Clients like Python Requests indicate scripted automation rather than legitimate login attempts. ROPC agents may suggest brute-forcing against legacy auth.
• A high ratio suggests distributed attacks across multiple accounts, characteristic of password spraying.
• Correlate client apps associated such as PowerShell or unattended sign-in clients may be targeted for automation or legacy auth bypass.
• Review conditional access state or risk state of the user involved. If Conditional Access was not applied and risk was not flagged, policy scope or coverage should be reviewed.
• Check for any successful sign-ins for the affected users around the same time frame to determine if any accounts were compromised prior to lockout.

• Misconfigured clients, scripts, or services with outdated credentials may inadvertently cause lockouts.
• Repeated lockouts from known internal IPs or during credential rotation windows could be benign.
• Legacy applications without modern auth support may repeatedly fail and trigger Smart Lockout.
• Specific known user agents (e.g., corporate service accounts).
• Internal IPs or cloud-hosted automation with expected failure behavior.

• Investigate locked accounts immediately. Confirm if the account was successfully accessed prior to lockout.
• Reset credentials for impacted users and enforce MFA before re-enabling accounts.
• Block malicious IPs or ASN at the firewall, identity provider, or Conditional Access level.
• Audit authentication methods in use, and enforce modern auth (OAuth, SAML) over legacy protocols.
• Strengthen Conditional Access policies to reduce exposure from weak locations, apps, or clients.
• Conduct credential hygiene audits to assess reuse and rotation for targeted accounts.
• If false positives are identified, create exceptions for known benign sources, users or user agents to reduce noise.

event.dataset: "azure.signinlogs" and event.category: "authentication"
    and azure.signinlogs.category: ("NonInteractiveUserSignInLogs" or "SignInLogs")
    and event.outcome: "failure"
    and azure.signinlogs.properties.authentication_requirement: "singleFactorAuthentication"
    and azure.signinlogs.properties.status.error_code: 50053
    and azure.signinlogs.properties.user_principal_name: (* and not "")
    and not source.as.organization.name: "MICROSOFT-CORP-MSN-as-BLOCK"
		

Framework: MITRE ATT&CK

• Tactic:

  • Name: Credential Access
  • Id: TA0006
  • Reference URL: https://attack.mitre.org/tactics/TA0006/

• Technique:

  • Name: Brute Force
  • Id: T1110
  • Reference URL: https://attack.mitre.org/techniques/T1110/

• Sub Technique:

  • Name: Password Guessing
  • Id: T1110.001
  • Reference URL: https://attack.mitre.org/techniques/T1110/001/

• Sub Technique:

  • Name: Password Spraying
  • Id: T1110.003
  • Reference URL: https://attack.mitre.org/techniques/T1110/003/

• Sub Technique:

  • Name: Credential Stuffing
  • Id: T1110.004
  • Reference URL: https://attack.mitre.org/techniques/T1110/004/