IncidentsINC-2026-0417
HIGH
M365 password spray from residential proxy
Status · openOwner · j.parkOpened · 6/27/2026, 7:58:11 AMAlerts · 1Entities · 25
Copilot narrativeverdict: pending · 62%
Low-and-slow spray; MFA blocked successful sign-ins. Recommend conditional access tightening.
T1110.003 · Password Spraying/ Credential Access
OCSF timeline
normalized- 07:58 AMcls 3002HIGHLogon Failed (Spray)AuthenticationMicrosoft Sentinel · IDP-SPRAY-RESPROXY-02 · OCSF-ALT-48199-3002src_endpoint.ip104.28.211.18