> ## Documentation Index
> Fetch the complete documentation index at: https://docs.petrasecurity.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Who is attacking my environment? (Failed Attacks)

> Investigate unsuccessful login attempts and attacker behavior

## Overview

The Failed Attacks tab provides visibility into unsuccessful login attempts targeting your organization's M365 environment. This allows you to:

* View geographic distribution of attack attempts
* Identify most frequently targeted accounts
* Recognize specific attack tactics and toolkits
* Track attack patterns over time
* Generate reports for client presentations

<Info>
  Failed attacks represent unsuccessful attempts to access your tenant. While these attacks were blocked, they provide valuable intelligence about attacker behavior and targeting patterns.
</Info>

## Accessing Failed Attacks

1. Navigate to your tenant by selecting it from the tenant selector in the top left corner.
2. Click on the **Reporting** tab in the top navigation bar.
3. Select the **Failed Attacks** tab.

<Frame>
  <img src="https://mintcdn.com/petrasecurity-7f411ce9/v2OWWC-gCEvr839N/images/failed_attacks_page.png?fit=max&auto=format&n=v2OWWC-gCEvr839N&q=85&s=fee4656284b9ca1aaf6af0bf2206549a" alt="" width="3422" height="1994" data-path="images/failed_attacks_page.png" />
</Frame>

## Dashboard Components

### Geographic Distribution Map

The interactive map displays the global origins of failed attack attempts. Each point represents the location where an attack was observed.

<Info>
  The geographic location indicates where the attack traffic originated, which may represent proxies or VPNs rather than the attacker's actual location. The United States is commonly shown as a source of attack traffic.
</Info>

### Attack Statistics

The dashboard shows key metrics including:

* Total number of failed attacks
* Top countries of origin
* Attack tactics observed
* Timeline showing attack frequency
* Most targeted accounts

### Attack Types

Petra identifies the types of failed attacks. Here are a few of the most common:

#### Legacy Authentication

The most common attack vector involves legacy authentication protocols, which often lack modern security controls.

#### Attacker-in-the-Middle (AiTM) Toolkits

Petra specifically identifies known phishing-as-a-service toolkits:

<Warning>
  Petra names AitM Phishing-as-a-Service toolkits with the moniker 'Hornet'. When you see "Frantic Hornet" or "Piercing Hornet", for example, these indicate more sophisticated phishing-as-a-service attacks. These tools are designed to bypass MFA and indicate there is a campaign underway.
</Warning>

#### Cloud Resource Targeting

Attacks labeled "Azure ACOM" or "Azure SSO Spoof" indicate attempts to access Azure resources, potentially to:

* Deploy cryptocurrency mining operations
* Spin up unauthorized cloud resources
* Access sensitive data

## Detailed Attack List

Below the summary dashboard, you'll find a detailed list of all failed attacks:

1. **Filter the list** to focus on specific attack types
2. **Sort by date** to identify recent campaign patterns
3. **Look for patterns** in targeted accounts or attack methods

<Tip>
  Pay special attention to non-legacy auth attacks, as these often indicate more sophisticated threat actors specifically targeting your organization.
</Tip>

<Frame>
  <img src="https://mintcdn.com/petrasecurity-7f411ce9/v2OWWC-gCEvr839N/images/failed_attacks_list.png?fit=max&auto=format&n=v2OWWC-gCEvr839N&q=85&s=2c7ee5f10a73f5c4416187ad43c61c06" alt="" width="3422" height="1998" data-path="images/failed_attacks_list.png" />
</Frame>

## Understanding Targeted Accounts

Common targets typically include:

* **Shared mailboxes**: accounts like sales@, info@, or accounting@
* **Executive accounts**: CEO, CFO and other C-suite positions
* **Previously compromised users**: attackers often repeatedly target users who have clicked phishing links in the past

<Check>
  Targeted accounts are great first steps for hardening an environment. They make fantastic launchpads for M365 hardening projects.
</Check>

<Frame>
  <img src="https://mintcdn.com/petrasecurity-7f411ce9/v2OWWC-gCEvr839N/images/failed_attacks_targeted.png?fit=max&auto=format&n=v2OWWC-gCEvr839N&q=85&s=9c0e15f513bb6e663ff08d76f7f2fe29" alt="" width="3420" height="1344" data-path="images/failed_attacks_targeted.png" />
</Frame>

## Generating Reports

Failed attack data can be compiled into client-ready PDF reports:

1. Navigate to the **Report Builder** section
2. Select the failed attacks module
3. Generate a PDF containing:
   * Summary of attack statistics
   * Specifically listing: who's being targeted, by which attack vectors
   * Sample of notable failed attacks
   * Uncommon attack activity details

<Tip>
  For more detailed analysis of specific attack patterns, see our [Research](https://www.petrasecurity.com/research)
</Tip>

<Frame caption="Note that this report can be customized to fit your branding.">
  <img src="https://mintcdn.com/petrasecurity-7f411ce9/FbukLCiw2zkqhqG8/images/report_first_page.png?fit=max&auto=format&n=FbukLCiw2zkqhqG8&q=85&s=c78d40344f3ac920c13281845f346de8" alt="" width="3428" height="1994" data-path="images/report_first_page.png" />
</Frame>

<Frame>
  <img src="https://mintcdn.com/petrasecurity-7f411ce9/FbukLCiw2zkqhqG8/images/report_second_page.png?fit=max&auto=format&n=FbukLCiw2zkqhqG8&q=85&s=a468b5d651070c1bbb3f709c6764f659" alt="" width="3422" height="1994" data-path="images/report_second_page.png" />
</Frame>
