SOCshare: What's new in April 2024?

What may be hiding behind unsuccessful logins?

In April, as part of the SOCshare project, we analysed the sources and trends of unsuccessful logins to different accounts. More than 15% of all automated notifications of potential security threats from the QRadar SIEM system can be classified as failed authorisation attempts. While this may seem just like ‘background noise’, it is something we should pay close attention to, as a more sophisticated or targeted attack may be hidden amongst the gigantic number of automated login attempts.
Let’s look at the countries from which login attempts were made. In order to narrow down and refine the data, we selected login attempts to O365/Microsoft accounts. We have also sorted out the data that reflects unsuccessful attempts, most likely by internal users, i.e. we have data suggesting that the user himself/herself tried to log in unsuccessfully – he or she logged in from the usual place, on the usual device, at the usual time, etc. We have also removed Lithuania from the statistics, as the majority of our customers come from there.

Below are the TOP 5 countries from which we see unsuccessful attempts to connect to O365 accounts:

China CN 21.84%
USA US 12.56%
South Korea KR 7.63%
Russia RU 4.64%
India IN 3.65%

 

These five countries alone already account for 50% of all unsuccessful accession attempts. Although we can set a conditional access policy limiting the countries from which connections can be made – it is usually recommended to limit connections from countries that are not friendly to Lithuania, and the USA, South Korea or India would not be included in these lists. Taking all countries in the European Economic Area (except Lithuania) – we see that as many as 25% of all failed connection attempts come from friendly countries, which are usually excluded from geo-blocking policies by companies, so it is important to remain vigilant.

Part-funded by the European Union. The views and opinions expressed are those of the authors alone and do not necessarily reflect the views and opinions of the European Union or the European Cyber Security Centre of Excellence. Neither the European Union nor the European Cyber Security Centre of Excellence can be held responsible for them.

Other stories

Security automation: from idea to tool
SOCcare May 2025 Malpeek: Analysis of a "copyright infringement" malware
SOCcare May 2025 Malpeek: Analysis of a "copyright infringement" malware
NRD Cyber Security recorded strong growth and international expansion in 2024
NRD Cyber Security recorded strong growth and international expansion in 2024
Building awareness is a continuous effort
Building awareness is a continuous effort
Facilitating dialogue on NIS2 within the Lithuanian cybersecurity ecosystem
Facilitating dialogue on NIS2 within the Lithuanian cybersecurity ecosystem
Developing a culture of CTI sharing in Lithuania
Developing a culture of CTI sharing in Lithuania
Festivities in Lithuania in 8 episodes
Festivities in Lithuania in 8 episodes
SOCshare December 2024: cyber threats for elderly
SOCshare December 2024: cyber threats for elderly