The Failed Attacks tab provides visibility into unsuccessful login attempts targeting your organization’s M365 environment. This allows you to:
View geographic distribution of attack attempts
Identify most frequently targeted accounts
Recognize specific attack tactics and toolkits
Track attack patterns over time
Generate reports for client presentations
Failed attacks represent unsuccessful attempts to access your tenant. While these attacks were
blocked, they provide valuable intelligence about attacker behavior and targeting patterns.
The interactive map displays the global origins of failed attack attempts. Each point represents the location where an attack was observed.
The geographic location indicates where the attack traffic originated, which may represent proxies
or VPNs rather than the attacker’s actual location. The United States is commonly shown as a
source of attack traffic.
Petra specifically identifies known phishing-as-a-service toolkits:
Petra names AitM Phishing-as-a-Service toolkits with the moniker ‘Hornet’. When you see “Frantic
Hornet” or “Piercing Hornet”, for example, these indicate more sophisticated phishing-as-a-service
attacks. These tools are designed to bypass MFA and indicate there is a campaign underway.