The 'O365 Multi-Source Failed Authentications Spike' analytic aims to detect spikes in failed authentication attempts within an Office 365 environment, specifically targeting potential distributed password spraying attacks. This detection rule leverages events from the Office 365 Management Activity Logs, focusing on ErrorNumber 50126 associated with UserLoginFailed operations. The detection identifies unusual patterns based on the number of distinct user and IP combinations over a specified time frame (5 minutes). When multiple unique combinations exceed thresholds of 20 for unique users, IPs, and combinations, an alert is generated. The significance of this detection lies in its ability to uncover attempts to bypass security controls using various IP addresses and user agents, which could indicate a coordinated attack aimed at gaining unauthorized access, escalating privileges, or facilitating lateral movement within an organization. Prompt detection is vital for mitigating the risk of account takeovers and related security threats.