When Brute Force Goes Unnoticed for Days: Detection Gaps That Let Attackers Settle In

By IPThreat Team July 10, 2026

The Threat Landscape Driving This Conversation

Brute force attacks have evolved well past the simple dictionary runs that early intrusion detection systems were built to catch. The July 2026 ISC SANS Stormcast and a recent Palo Alto Networks threat brief on large-scale credential attacks both point to the same operational reality: attackers are not hammering login endpoints with thousands of requests per minute anymore. They are spreading attempts across days, rotating infrastructure, and blending into legitimate traffic patterns until the damage is already done.

The broader ransomware surge documented across the security community in mid-2026 reinforces why this matters. Ransomware groups rely on initial access, and brute force against RDP, VPN gateways, SSH, and cloud management consoles remains one of the most reliable entry paths available. The Scattered Spider prosecution that opened in 2026 illustrated exactly how effective persistent, low-volume credential attacks against enterprise environments can be when detection is tuned for volume rather than behavior.

This article focuses on what detection actually requires in practice, where prevention controls fail under real attack conditions, and what implementation looks like when you move from policy documents to working defenses.

What Modern Brute Force Actually Looks Like in Practice

Classic brute force assumes a single source hammering a single target. That model describes a small fraction of what security teams encounter today. The dominant patterns now fall into a few categories that your detection logic needs to account for separately.

Distributed low-and-slow attacks distribute authentication attempts across hundreds or thousands of IP addresses, often sourced from residential proxy networks or compromised cloud instances. Each individual source generates only one or two failed attempts per hour, well below any threshold alert you have set for a single IP. The signal only becomes visible in aggregate, which requires correlation logic that most SIEM deployments do not have enabled by default.

Credential stuffing with targeted validation is technically distinct from pure brute force, but the detection and prevention overlap significantly. Attackers acquire breach datasets, validate credentials against your login endpoint with high accuracy, and generate low failed-login rates because a meaningful percentage of attempts succeed. Your failed-login alert never fires, but accounts are being compromised in real time.

Protocol-specific attacks target services that organizations frequently overlook. SSH on non-standard ports, RDP exposed through poorly configured cloud security groups, SMTP authentication endpoints, OWA and Exchange Web Services, and SaaS application APIs all represent attack surfaces that generate authentication logs in different places, making unified detection harder.

Timed burst attacks concentrate attempts during periods of high legitimate authentication traffic, typically business hours on Monday mornings or immediately after announced system maintenance windows. The attacker's traffic blends into the noise of legitimate users reconnecting, and alert thresholds that would catch the same volume at 3 AM miss it entirely at 9 AM.

Where Detection Actually Breaks Down

Understanding why brute force goes undetected for days requires an honest look at how detection logic is built and where its assumptions fail.

Threshold-based alerting tied to a single source IP is the most common detection mechanism and the most straightforward to evade. Attackers know common threshold values because they are publicly documented in vendor best practice guides. A threshold of ten failed logins per minute from a single IP is trivially bypassed by staying at nine. Thresholds calibrated on IP address need to be supplemented with thresholds on account name, geographic anomaly, ASN concentration, and user agent consistency.

Log collection gaps create blind spots that attackers can map and exploit. Organizations that forward Windows Security Event logs to their SIEM but do not collect Linux PAM logs, VPN authentication logs, or cloud IAM audit trails leave entire attack surfaces without detection coverage. A brute force campaign against AWS IAM console logins will generate detailed CloudTrail entries, but if those entries are not in your SIEM and correlated against your other authentication data, the attack is invisible.

Alert fatigue from noisy, poorly tuned rules causes analysts to deprioritize authentication alerts as a category. When a rule fires hundreds of times per shift due to misconfigured service accounts or legitimate scanning tools, analysts begin treating authentication alerts as background noise. Attackers benefit from this systematically.

Time zone and working hours assumptions in detection rules mean that attacks timed to occur during your team's off-hours face reduced analyst coverage even when alerts do fire. Automated response actions that require analyst confirmation before blocking introduce latency that a fast attacker can exploit.

Detection Checklist for Security Operations Teams

The following checklist addresses the gaps described above with specific, implementable controls. Review each item against your current configuration rather than your documented policy.

  • Cross-account failed login correlation: Confirm your SIEM has a rule that counts failed authentication attempts against multiple distinct usernames from a single source IP within a rolling time window of at least one hour. A single IP attempting five different usernames with two failures each should fire an alert even if no single-account threshold is crossed.
  • Distributed attack detection: Implement a rule that aggregates failed logins by target account across all source IPs. More than fifteen failed logins against a single account from more than ten distinct IPs in a sixty-minute window is a strong signal of distributed brute force.
  • Success-after-failure alerting: Any successful authentication that follows three or more failed attempts for the same account within the past twenty-four hours should trigger an immediate alert, regardless of the time elapsed. This catches slow attacks that eventually succeed.
  • Authentication log completeness audit: Run a quarterly audit confirming that authentication events from all of the following sources are ingesting correctly: Active Directory domain controllers, Azure AD and Entra ID sign-in logs, AWS CloudTrail IAM events, VPN gateway authentication logs, SSH daemon logs from Linux systems, and any SaaS applications with API-accessible audit logs.
  • Impossible travel and geographic velocity checks: Flag any account that authenticates successfully from two geographically distinct locations within a timeframe that makes physical travel impossible. This catches successful brute force from attacker infrastructure even when the attacker has valid credentials.
  • User agent and TLS fingerprint consistency: For web application logins, track the user agent strings and JA3/JA3S TLS fingerprints associated with each account's normal authentication pattern. Deviation from that pattern during a brute force window is a high-confidence indicator.
  • Service account authentication monitoring: Service accounts should authenticate from a narrow, documented set of source IPs using consistent protocols. Any authentication attempt from an undocumented source against a service account should alert immediately.
  • Lockout and CAPTCHA bypass detection: Monitor for patterns that suggest attackers are testing lockout thresholds, specifically sequences of exactly N-1 failed attempts followed by a pause, then another sequence. This indicates the attacker knows your lockout threshold and is deliberately staying under it.
  • DNS and network context enrichment: Enrich authentication alerts with reverse DNS, ASN ownership, and abuse contact data at alert creation time, not during investigation. Analysts who have to look this up manually will skip the step under load.
  • Automated initial response actions: Define a set of automated responses that trigger without analyst confirmation for high-confidence brute force indicators. Temporary IP-level blocks at the WAF or firewall for confirmed attack sources, combined with account risk flagging in your identity provider, should not require a human to approve before execution.

Prevention Controls and Their Real-World Configurations

Detection without prevention creates alerts with no stopping force. Prevention without detection creates blind spots. The two need to be designed together.

Account Lockout and Throttling

Account lockout policies remain useful but require careful calibration. Aggressive lockout thresholds become a denial-of-service vector against your own users. The practical configuration for most environments is a progressive throttle rather than a hard lockout: five failed attempts triggers a thirty-second delay, ten failed attempts triggers a five-minute delay, fifteen failed attempts triggers a temporary lock requiring secondary verification to unlock. This degrades the attacker's throughput significantly while keeping legitimate users who fat-finger a password from being locked out entirely.

For privileged accounts and service accounts, a lower threshold is appropriate. Three failed attempts against a domain admin account should trigger an immediate alert and temporary suspension pending investigation.

Multi-Factor Authentication Coverage

MFA is the single most effective control against brute force attacks that succeed in guessing a password. Its effectiveness is entirely dependent on coverage. The common gap is that MFA is enforced on the primary SSO portal but not on legacy authentication protocols. Exchange ActiveSync, SMTP AUTH, and IMAP authentication bypass MFA in many configurations because those protocols do not support modern authentication flows. Attackers who obtain a valid password through brute force will probe these endpoints specifically because they bypass MFA.

The remediation is to disable legacy authentication protocols entirely where possible, and to enforce conditional access policies that block legacy protocol authentication from non-trusted networks where disabling is not feasible. Microsoft's guidance on blocking legacy authentication in Entra ID is well-documented and directly applicable to most enterprise environments.

Web Application Firewall and Rate Limiting

WAF rate limiting on login endpoints needs to operate on multiple dimensions simultaneously. Rate limiting by IP alone is insufficient against distributed attacks. Effective configuration applies limits per IP, per session cookie, per form submission fingerprint, and per account name within the request body. Implementing all four layers makes distributed brute force attacks substantially more expensive to operate.

CAPTCHA challenges triggered at a rate limit threshold add friction without blocking legitimate users outright. The current generation of CAPTCHA solutions includes behavioral scoring that can distinguish human users from automated tools even when the automated tools are designed to evade traditional CAPTCHA patterns.

SSH Hardening for Infrastructure

SSH brute force against internet-exposed infrastructure remains a constant background threat. The configuration baseline that closes the most common attack paths includes disabling password authentication entirely in favor of key-based authentication, restricting the SSH service to a non-standard port if operational requirements allow, implementing TCP wrappers or firewall rules that limit source IPs to known management networks, and deploying a tool like fail2ban or a cloud-native equivalent to automatically block IPs that exceed failed authentication thresholds.

Key-based authentication eliminates the entire class of password brute force attacks. The residual risk is key theft, which requires a different set of controls, but it is a substantially smaller attack surface than password-based authentication.

VPN Gateway Hardening

VPN endpoints are high-value targets because a successful brute force gives the attacker network-level access. The Microsoft RoguePlanet zero-day remediation cycle in mid-2026 highlighted how quickly attackers shift to alternative initial access methods when one vector is patched, and VPN brute force is a persistent fallback. Configuration requirements include certificate-based authentication supplemented by MFA, connection rate limiting per source IP at the gateway, alerting on authentication attempts from Tor exit nodes and known VPN/proxy ranges, and geo-restriction of VPN authentication to expected source countries where the business model supports it.

Specific Scenarios and Response Playbooks

Scenario: Low-and-Slow Distributed Attack Against Office 365

An attacker purchases a credential list from a breach aggregator and begins validating accounts against your Office 365 tenant using a residential proxy network. Each proxy generates one attempt every four hours. Your per-IP threshold of ten failed attempts per hour never fires. After seventy-two hours, the attacker has successfully authenticated to eleven accounts.

The detection that catches this is the success-after-failure correlation described in the checklist, combined with impossible travel detection when the attacker accesses mailboxes from IP addresses geographically inconsistent with the account owner's normal location. The response playbook requires immediate session revocation for all flagged accounts, forced MFA re-enrollment, audit of mail forwarding rules and OAuth application consents on affected accounts, and a retroactive search through sign-in logs for other accounts that received attempts from the same proxy ASN ranges.

Scenario: RDP Brute Force Against a Cloud-Hosted Windows Server

A Windows Server with RDP exposed on port 3389 begins receiving authentication attempts from a botnet. The attempts come from sixty distinct IPs in the first hour, each attempting three to four common credential combinations. Your per-IP threshold does not fire, but a cross-source account aggregation rule detects more than two hundred failed attempts against the built-in Administrator account within sixty minutes and generates a high-priority alert.

Automated response blocks the attacking ASN ranges at the cloud security group level. The analyst response involves verifying that the server is not legitimately accessible from those networks, confirming no successful authentications occurred, and initiating a review of why RDP is internet-facing rather than accessible only through the management VPN.

Scenario: SSH Brute Force Against a Linux Web Server

A fail2ban deployment on a web server is blocking individual attacking IPs, but the attack is rotating through new IPs faster than the jail expiry time. PAM logs forwarded to the SIEM allow the security team to see the aggregate pattern. The SIEM rule detects more than five hundred unique source IPs each attempting two or fewer failed SSH logins in a rolling six-hour window against the same target host.

The response involves implementing a cloud firewall rule that restricts SSH to the organization's management IP ranges, converting SSH authentication to key-based only, and conducting a threat hunt across other internet-exposed Linux infrastructure for similar patterns in the same time window.

Implementation Pitfalls to Avoid

Organizations that build out brute force detection and prevention programs frequently encounter the same set of problems during implementation. Knowing them in advance reduces the time spent discovering them the hard way.

Building detection rules without testing them against real log samples. Rules written against a schema description rather than actual log data frequently fail to match in production because field names, timestamp formats, or encoding differ from what the rule author expected. Every detection rule should be validated against a sample of real authentication logs from the specific source before it is promoted to production.

Setting lockout thresholds in Active Directory without accounting for service accounts. A lockout threshold of five attempts will lock out service accounts that have stale cached credentials on multiple systems simultaneously. Before deploying lockout policies, audit all service accounts for stale credential references and update them. Service accounts should be excluded from standard lockout policies and instead monitored through dedicated alerting.

Treating MFA deployment as complete when the enrollment rate hits ninety percent. The accounts not enrolled in MFA are disproportionately likely to be the accounts attackers target, because inactive accounts, contractor accounts, and shared accounts are exactly the ones that fall through enrollment campaigns. Enforce MFA at the identity provider level rather than relying on user compliance, and disable accounts that have not enrolled within a defined window.

Deploying WAF rate limiting without establishing baseline traffic patterns first. Rate limits set without reference to actual peak legitimate traffic volumes will block legitimate users during high-traffic periods such as product launches, earnings announcements, or marketing campaign spikes. Measure legitimate peak authentication rates before setting limits and build in a margin above that peak rather than guessing.

Assuming that blocking known bad IP ranges is sufficient prevention. IP blocklists have real but limited value against brute force attacks that rotate infrastructure regularly. Blocklist-based prevention should be treated as a layer that raises the attacker's cost rather than a control that stops the attack. The behavioral detection controls described in this article operate independently of whether the source IP has a prior reputation, which makes them more resilient against infrastructure rotation.

Failing to close the loop between detection and prevention automation. Detection logic that generates alerts without any automated response action creates a queue that outpaces analyst capacity during an active attack. Define which detection findings trigger automated blocking, which trigger automated account risk elevation, and which require analyst review before any action. Document those decisions explicitly and review them quarterly as your threat model evolves.

Neglecting to monitor the monitoring infrastructure itself. Attackers who have conducted reconnaissance on a target environment sometimes attempt to identify and flood log collection infrastructure to create gaps in detection coverage. Your SIEM ingestion pipeline, log forwarders, and alerting rules should themselves be monitored for availability and throughput anomalies.

Where This Fits in a Broader Defense Program

Brute force detection and prevention does not operate in isolation. The controls described here sit within a broader authentication security program that includes identity governance, privileged access management, and security awareness. The detection logic described here generates signals that feed incident response, threat hunting, and vulnerability management processes.

The connection to the ransomware surge documented in mid-2026 is direct. Ransomware affiliates consistently list initial access methods, and brute force against internet-exposed services and weak credential configurations remains near the top of that list. Closing the brute force detection gap reduces your exposure to the initial access phase of ransomware campaigns, which is the phase where the attack is still preventable.

Implement the checklist items in priority order based on your current coverage gaps. Start with log completeness because detection rules have no value against data that is not being collected. Add cross-account aggregation rules before single-IP threshold tuning because aggregation catches the attacks that threshold tuning misses. Deploy automated response for the highest-confidence indicators before fine-tuning thresholds for lower-confidence ones. The order matters because each layer builds on what is below it.

Contact IPThreat