SOCshare: What's new in April 2024?

What may be hiding behind unsuccessful logins?

In April, as part of the SOCshare project, we analysed the sources and trends of unsuccessful logins to different accounts. More than 15% of all automated notifications of potential security threats from the QRadar SIEM system can be classified as failed authorisation attempts. While this may seem just like ‘background noise’, it is something we should pay close attention to, as a more sophisticated or targeted attack may be hidden amongst the gigantic number of automated login attempts.
Let’s look at the countries from which login attempts were made. In order to narrow down and refine the data, we selected login attempts to O365/Microsoft accounts. We have also sorted out the data that reflects unsuccessful attempts, most likely by internal users, i.e. we have data suggesting that the user himself/herself tried to log in unsuccessfully – he or she logged in from the usual place, on the usual device, at the usual time, etc. We have also removed Lithuania from the statistics, as the majority of our customers come from there.

Below are the TOP 5 countries from which we see unsuccessful attempts to connect to O365 accounts:

China CN 21.84%
USA US 12.56%
South Korea KR 7.63%
Russia RU 4.64%
India IN 3.65%

 

These five countries alone already account for 50% of all unsuccessful accession attempts. Although we can set a conditional access policy limiting the countries from which connections can be made – it is usually recommended to limit connections from countries that are not friendly to Lithuania, and the USA, South Korea or India would not be included in these lists. Taking all countries in the European Economic Area (except Lithuania) – we see that as many as 25% of all failed connection attempts come from friendly countries, which are usually excluded from geo-blocking policies by companies, so it is important to remain vigilant.

Part-funded by the European Union. The views and opinions expressed are those of the authors alone and do not necessarily reflect the views and opinions of the European Union or the European Cyber Security Centre of Excellence. Neither the European Union nor the European Cyber Security Centre of Excellence can be held responsible for them.

Other stories

SOCshare January 2026: cybersecurity landscape review
SOCshare January 2026: cybersecurity landscape review
CTI-AI project: end of year update
CTI-AI project: end of year update
The most common myths related to the implementation of the DORA Regulation
The most common myths related to the implementation of the DORA Regulation
SOCcare December 2025: RondoDox Campaign: Routers Beware
SOCcare December 2025: RondoDox Campaign: Routers Beware
Engaging management and operational teams to do trainings, TTXs, practice sessions, etc.
Engaging management and operational teams to do trainings, TTXs, practice sessions, etc.
Designing an engaging and realistic TTX for an organisation
Designing an engaging and realistic TTX for an organisation
Weekly cyber drills? How to make them a mission possible
Weekly cyber drills? How to make them a mission possible
How to design and lead multi-organisational and multi-national TTXs?
How to design and lead multi-organisational and multi-national TTXs?