AN1342: Analytic 1342
Failed authentication attempts across user mailboxes using identical or common passwords (e.g., OWA brute attempts)
Analyst context for executives and security teams
This analytic matters because repeated failed logins against multiple mailboxes with the same or common passwords can be an early warning of password spraying or brute-force activity against an office suite environment. For leaders, the value is not just catching failed logins; it is confirming whether the organization can quickly distinguish routine user error from coordinated identity attacks before mailbox access, data exposure, or business email disruption occurs.
Executive priority
Prioritize this as an identity and email resilience control. Executives should ask whether security teams have reliable office suite authentication telemetry, whether failed-login patterns across many mailboxes are reviewed quickly, and whether response playbooks can separate benign lockouts from coordinated attacks. This also supports audit and compliance evidence around account monitoring, access control, and incident readiness.
Technical view
SOC and detection teams should validate analytics that look across user mailboxes for failed authentication attempts using identical or commonly attempted passwords, especially for OWA-style access patterns where available. Because no ATT&CK detection logic or relationships are supplied, implementation should be locally tested against office suite sign-in data, authentication failure reasons, user distribution, source infrastructure, timestamps, and any available client/application context. Tune for distributed attempts that may avoid simple per-account thresholds.
Likely telemetry
- Office suite authentication and sign-in logs
- Mailbox or OWA failed login events
- User account identifiers targeted by failed authentication
- Timestamps and failure reason codes
- Source IP address, network, geolocation, or autonomous system context where available
Detection direction
- Validate cross-account correlation, not only per-user failed-login thresholds.
- Look for the same or common passwords attempted across multiple mailboxes when password-attempt visibility is available; where passwords are not logged, use correlated failure patterns as a safer proxy.
- Tune for false positives from forgotten passwords, expired credentials, migration activity, service misconfiguration, and user onboarding events.
- Assess blind spots for legacy authentication, OWA-specific logging gaps, incomplete office suite retention, or logs not forwarded to the SIEM.
- Confirm alert triage includes target account count, source distribution, timing, affected business units, and whether any successful authentication followed the failures.
Mitigation priorities
- Ensure office suite authentication logs are collected, retained, and searchable by the SOC.
- Use strong identity controls such as multifactor authentication and risk-based or conditional access where available.
- Review lockout, throttling, and password policy settings to reduce brute-force and password-spray effectiveness without creating avoidable business disruption.
- Maintain incident response playbooks for suspected mailbox authentication attacks, including account review and evidence preservation.
- Regularly test detection logic with approved defensive simulations or historical log review to confirm visibility and reduce false positives.
Analyst notes and limits
The supplied object is a detection analytic for Office Suite platforms describing failed authentication attempts across user mailboxes using identical or common passwords, with OWA brute attempts as an example. No tactic, technique relationship, or formal detection query was provided, so this take emphasizes validation of identity telemetry and cross-mailbox correlation rather than a specific ATT&CK technique mapping.
This assessment is limited to the supplied STIX fields, external reference, and lack of relationship context. It does not establish active exploitation, attribution, impact, or guaranteed detection coverage. Local office suite logging capabilities, authentication architecture, retention, and privacy constraints will determine what can actually be detected.
Analytic 1342
Failed authentication attempts across user mailboxes using identical or common passwords (e.g., OWA brute attempts)
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 7777b5737987… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1342Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.