This detection rule identifies successful password spray attacks, which occur when an attacker tries a small number of commonly used passwords against a large number of accounts. The risk event type used to detect these activities is 'passwordSpray' within the Azure risk detection service. The rule is designed to flag attempted logins that match these criteria, providing security teams with visibility into potential compromises. Password spray attacks often result from the use of weak or commonly recycled passwords, highlighting the need for organizations to implement stronger authentication measures. The recommendation includes investigating flagged sessions in the context of the user's overall sign-in behavior to weed out false positives related to legitimate users accessing their accounts.