This detection rule identifies abnormal patterns where a source user fails to authenticate with multiple users by utilizing explicit credentials on a host. The detection leverages Windows Event ID 4648, which corresponds to explicit logon attempts, and employs statistical analysis to flag anomalies based on the standard deviation of authentication attempts. By applying the 3-sigma rule, this rule can identify potential password spraying attacks where attackers may be attempting to gain unauthorized access by trying to authenticate with common credentials across multiple accounts. If this behavior is confirmed malicious, it can lead to unauthorized system access, privilege escalation, or compromise of the Active Directory environment. The implementation requires integration with Windows Event Logs and enabling specific audit policies to ensure accurate monitoring of authenticating activities.