Try this first
- 1Enable Smart Lockout in Entra (default is 10 attempts per source per 60 seconds). Do not raise it, that backfires. Smart Lockout is the first brake.
- 2In Entra ID Protection set the User risk policy to High and tie it to a Conditional Access policy that forces password reset. Identity Protection often sees sprays before logs do.
- 3Build a Sentinel query on SigninLogs where ResultType 50053, 50126 or 50057 appears more than 20 times in 10 minutes from different UserPrincipalName values out of one IP. That is the classic spray pattern.
- 4Disable legacy authentication completely. Sprays often go through legacy protocols (IMAP, POP, SMTP-AUTH) because they bypass MFA. Conditional Access, Block Legacy Authentication, for all accounts.
- 5Geo-block or require MFA for sign-ins from countries you do not operate in. A spray from a random datacenter in Asia is then stopped before it can guess the password.
When to bring us in
If logs show sprays succeeding (ResultType 0 from an unknown IP followed by MFA fallback), treat it as an incident. Revoke sessions, invalidate tokens, and check which OAuth apps those accounts may have granted access to.
See also
- I think I clicked a phishing linkNo shame, happens to everyone. The next fifteen minutes matter.
- A colleague's account is acting strangelySending mail in their name, rules hiding folders, unusual sign-ins. Suspicious.
- Lost the MFA app: new phone, no backup codesClassic problem after a phone upgrade. You are not the first to be locked out.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.