The question
What we told them
It was a reasonable belief, and it's aging badly. Security reporting this week describes campaigns that test stolen credentials against Microsoft accounts using abused authentication flows — techniques built specifically to avoid generating the burst of failed sign-ins that alerting is tuned to catch. If your detection strategy is “watch for failed logins,” these attempts happen below it.
Two facts frame the risk. First, the passwords being tested usually weren't stolen from you — they came from breaches at other services, and they work because people reuse them. Second, the attacker's goal is a successful sign-in that looks routine, which is exactly the event most small-business tenants never review.
What actually holds the line:
- MFA on every account, no exceptions. A tested password without the second factor is a dead end. Prefer app-based or hardware-backed factors over text messages where you can.
- Conditional access doing real work. Block legacy authentication protocols outright — they're the abused flows in most of these campaigns — and add device or location conditions for sensitive access.
- Watch successes, not just failures. A sign-in from a new country at 3am that succeeded is more urgent than a hundred failures. Impossible-travel and unfamiliar-location alerts exist in the platform; most tenants never turn them on.
- Kill password reuse. A password manager for the team costs less per month than one incident response hour.
If your tenant hasn't had a settings review since it was set up, this is the week. The gaps above are the same ones we find on almost every tenant we audit.
“We'd see the failed logins” is no longer a defense. Assume some of your passwords are already in breach dumps, require MFA everywhere, block legacy auth, and review successful sign-ins for oddities — not just failures.