This detection rule focuses on identifying potential brute-force or password spraying attacks targeting multiple user accounts in Office 365 (O365). The rule monitors Azure Active Directory login failures logged in O365 audit logs. It triggers when more than 10 unique user accounts fail to log in from the same IP address within a 5-minute window. Such behavior raises a significant security concern as it could indicate an external actor attempting to compromise user accounts, thereby gaining unauthorized access to the O365 environment. The rule is operationalized through a specific Splunk query that tracks login failures, aggregates the data over a 5-minute span, and filters it based on the number of unique accounts affected. Organizations are advised to respond promptly by blocking the suspicious IP and notifying potentially impacted users to bolster their login security measures against further attacks.