AN1265: Analytic 1265
Same source IP performing multiple authentication attempts using known breached username/password combinations across different identities in Azure AD, Okta, or Duo
Analyst context for executives and security teams
This analytic is about spotting one source IP trying known breached username/password pairs against multiple identities in an identity provider such as Azure AD, Okta, or Duo. For leaders, the significance is not the IP itself; it is whether the organization can recognize credential-stuffing-style authentication pressure before it becomes an account takeover, helpdesk surge, or incident response escalation.
Executive priority
Prioritize this as an identity resilience and SOC readiness check. Security leaders should ask whether authentication logs from the identity provider are centrally collected, whether failed and successful attempts can be tied to source IP and user identity, and whether response teams have a playbook for many identities targeted from one source. This also supports compliance evidence around monitoring access attempts and protecting accounts that may be exposed through external credential breaches.
Technical view
Validate the ability to detect repeated authentication attempts from the same source IP across different identities in the identity provider. The supplied ATT&CK object names Azure AD, Okta, and Duo as examples, but the platform scope is Identity Provider. Because no official detection logic or tactics are provided, teams should tune locally using identity-provider sign-in events, outcome fields, source IP, username/account identifiers, and indicators that the attempted credentials are associated with known breached combinations where that context is available.
Likely telemetry
- Identity provider authentication logs
- Failed and successful sign-in events
- Source IP address and geolocation or network context
- Targeted username or account identity
- Authentication outcome and failure reason
Detection direction
- Confirm logs include enough fields to group multiple authentication attempts by source IP across distinct identities.
- Tune thresholds to distinguish broad password-spraying or credential-stuffing patterns from legitimate shared egress points, VPNs, proxies, and corporate NAT traffic.
- Correlate failed attempts with any subsequent successful authentication from the same source IP or against the same targeted identities.
- Review whether known breached credential intelligence is available and how it is represented in identity telemetry; do not assume it exists unless integrated.
- Create triage guidance for SOC analysts covering source IP reputation, number of identities targeted, success rate, MFA outcomes, and whether privileged or sensitive accounts are included.
Mitigation priorities
- Ensure centralized collection and retention of identity provider authentication logs.
- Require strong MFA and conditional access or equivalent risk-based controls for identity provider access.
- Reduce exposed credential risk through password hygiene, breached-password controls where available, and rapid reset processes for affected accounts.
- Prepare incident response actions for suspected credential stuffing, including account review, session revocation where appropriate, password reset, and user notification workflows.
- Use detection outcomes to refine identity hardening priorities, especially for privileged accounts and externally accessible authentication flows.
Analyst notes and limits
The object is a detection analytic, AN1265, for Identity Provider platforms. It describes a same-source-IP pattern across multiple identities using known breached username/password combinations in Azure AD, Okta, or Duo. No ATT&CK tactics, relationships, or official detection implementation were supplied, so this take focuses on validation questions, telemetry readiness, and conservative detection engineering direction.
This assessment is limited to the supplied STIX fields and external reference. It does not establish active exploitation, adversary attribution, business impact, or guaranteed detection coverage. Local identity-provider logging, breached-credential intelligence availability, network architecture, and authentication policy determine whether this analytic is feasible and reliable.
Analytic 1265
Same source IP performing multiple authentication attempts using known breached username/password combinations across different identities in Azure AD, Okta, or Duo
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6bb1fd0bfcb8… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1265Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.