This detection rule targets unusual patterns of NTLM authentication attempts from a single source to multiple destinations within a Windows environment. The rule is effective against brute force and password spraying attacks that exploit NTLM authentication, where an attacker attempts to authenticate to various domain-joined devices using potentially compromised credentials. It captures events generated through Event ID 8004, which logs NTLM authentication occurrences, and utilizes statistical methods to identify outliers based on the number of unique destinations accessed by the same source. If a source makes an unusually high number of authentication attempts across different destinations, it may indicate malicious activity and warrants further investigation.