Malicious login attempts targeting Microsoft 365 accounts from the United States and United Kingdom soared by roughly 25 percent in April 2026, according to new data from Barracuda Networks. The jump, documented in a late-May threat intelligence advisory, tears up the long-held assumption that connections from certain developed nations carry inherently lower risk. For security operations centers (SOCs) and identity teams, the message is blunt: the old playbook of geo-trust is broken, and every authentication request now demands rigorous scrutiny.

The findings land at a time when many organizations still lean heavily on geographic IP fencing or simple country-based allow-lists to trim authentication noise. Barracuda’s report, shared with its customer base on May 27, 2026, shows that the volume of malicious logins coming from IP addresses geo-located in the US and UK rose 25 percent month-over-month in April. The shift isn’t a spike in overall attack volume—global malicious attempts remained relatively flat—but rather a recalibration of where the attacks originate. Cybercriminals are increasingly routing their infrastructure through well-reputed regions, either by compromising residential and business machines en masse or by abusing cloud hosting services located in those countries.

The Shifting Geography of Cyber Threats

For more than a decade, defenders have categorized login attempts with a crude rule of thumb: traffic from Russia, China, Nigeria, or legacy “blocklist” countries gets heightened suspicion, while connections from the US, UK, Canada, or Western Europe often sail through with only basic checks. Barracuda’s telemetry shatters that rule. In April 2026, 37 percent of all detected malicious Microsoft 365 login attempts originated from US-based IP addresses, up from 29 percent in March. The UK share climbed from 8 percent to 11 percent. Together, the two Anglo-American hubs now account for nearly half of all malicious logins observed across Barracuda’s global customer base.

This geographic pivot correlates with the wider adoption of residential proxy networks and the commoditization of compromised cloud virtual machines. Attackers pay pennies for access to IPs in desirable locales, letting them sidestep naive geofencing while simultaneously blending into legitimate traffic. The trend also mirrors the rise of “living-off-the-land” attacks, where adversaries exploit legitimate infrastructure—think hijacked Amazon EC2 instances or compromised Microsoft Azure tenants—to launch credential-stuffing and password-spray campaigns against target tenants.

Barracuda’s researchers note that the jump isn’t attributable to a single botnet or campaign. Instead, they observed a broad dispersion across thousands of distinct IPs, suggesting a market-driven adaptation. Cybercrime-as-a-service platforms now routinely advertise “clean” residential proxies from the US and UK specifically for bypassing cloud identity protections. As a result, the geographic origin of a login carries less predictive value than ever before.

Why ‘Low-Risk’ Countries Are No Longer Safe

The very concept of a low-risk country flag was always a heuristic, not a control. It served to cut down on alert fatigue during an era when most attacks did in fact come from a short list of high-threat nations. But modern identity attacks don’t need to originate from a hostile territory; they only need to look legitimate. With the average data breach lifecycle shrinking and dwell time compressing, relaxing authentication scrutiny based on an IP geolocation database is an invitation to disaster.

A deeper look at Barracuda’s April data reveals that many of the malicious logins from US and UK IPs were part of long-tail brute-force and credential-harvesting operations. These attacks often start with a valid username—harvested from public data leaks, LinkedIn, or email enumeration—and then cycle through password dictionaries at a slow, distributed pace. Because the traffic appears to come from domestic broadband or reputable data centers, default security controls in Microsoft 365 frequently miss them. Azure Active Directory’s (now Microsoft Entra ID) smart lockout and risk-based policies can still detect these patterns, but only if configured aggressively enough—and only if sign-in logs are being fed into a SIEM or Microsoft Sentinel for correlation.

Moreover, the rise of attacker-in-the-middle (AiTM) phishing kits has made the source IP even less relevant. An employee in Chicago might be tricked into entering their password and MFA code into a fake login page hosted on a compromised US server. The adversary then replays the token from that same US IP, completely inheriting the victim’s trusted location. In such cases, a geo-based “low-risk” flag would actively work against detection.

Implications for SOC and Identity Teams

For SOC analysts, the April statistics are a call to re-evaluate detection logic. If you’ve built correlation rules that whitelist or down-weight alerts from certain countries, it’s time to strip them out. Barracuda recommends treating all unsuccessful login attempts equally, regardless of origin. A spike of 1,000 failed logins from California is just as alarming as one from Moscow—and perhaps more so if your user base is in California and the failures are for the HR department’s admin account.

The report also highlights a related blind spot in many organizations: conditional access policies that exempt “trusted locations.” Microsoft’s named locations feature allows admins to designate public IP ranges as trusted, often mapping to office egress points or VPN concentrators. But if an attacker compromises an endpoint inside that network, geo-exemptions hand over the keys. Barracuda’s incident response data shows that in Q1 2026, 14 percent of account takeover incidents in Microsoft 365 environments involved an attacker pivoting from a trusted IP that shouldn’t have been exempted from multi-factor authentication (MFA).

For smaller organizations without dedicated SOCs, the message is even starker. Many rely on Microsoft 365’s default security defaults or simple conditional access templates that were built years ago. Those templates often include an assumption that domestic traffic is lower risk. Reassessing those defaults and embracing Microsoft’s risk-based conditional access—which looks at sign-in risk level, device compliance, and user behavior rather than just geography—has become urgent.

Rethinking Conditional Access and MFA Policies

The April surge makes a strong case for abandoning location as a security signal, or at least demoting it to a supplementary factor. Microsoft’s own guidance has evolved toward a zero-trust model: never trust, always verify, regardless of network location. Entra ID’s conditional access can evaluate multiple signals—user risk, sign-in risk, device compliance, authentication strength—and force step-up authentication or block access entirely based on real-time intelligence.

Barracuda advises organizations to move away from static IP allow-lists and toward dynamic risk assessment. For example, instead of allowing all US traffic to bypass MFA, require MFA for every user, every time, and use phishing-resistant methods like FIDO2 security keys or Windows Hello for Business. Microsoft recently extended device-bound passkeys across the ecosystem, enabling true passwordless flows that aren’t phishable in the same way as SMS or push approvals. The report underscores that passwordless authentication, combined with strict device compliance policies, can neutralize credential-stuffing attacks regardless of the IP origin.

However, MFA alone isn’t a silver bullet—especially when push notifications are involved. Barracuda’s earlier 2025 research showed that MFA fatigue attacks rose 300 percent year-over-year, and many of those attacks originated from US-based IPs after attackers gained initial access to a trusted network segment. The recommendation: implement number-matching or FIDO2, disable simple push approval, and combine with token protection features like continuous access evaluation (CAE) that can revoke sessions instantly when risk changes.

Conditional access policies should also consider the authentication strength required for different applications. High-privilege administrative roles, for instance, should require phishing-resistant MFA and a compliant, managed device—full stop. No geographic bypass. The April data reinforces that a privileged account login from a US IP can be just as dangerous as one from a flagged nation if the source machine is under adversary control.

Proactive Defense Strategies

Beyond policy tweaks, Barracuda’s report outlines several proactive steps organizations can take immediately:

  • Enable unified audit logging and ship logs to a SIEM. Without full visibility, the geographic shift in attack traffic will go unnoticed. Ensure that Microsoft 365 sign-in logs, including non-interactive and service principal sign-ins, are flowing to Microsoft Sentinel or a third-party SIEM with proper retention.
  • Implement impossible travel rules. While source country alone is no longer a reliable indicator, impossible travel—where a user logs in from New York and then from London within 15 minutes—remains a high-fidelity signal. Tune these rules to be sensitive, but expect some false positives from VPNs and cloud proxies.
  • Adopt Microsoft’s Entra Identity Protection. The risk-based engine uses trillions of signals daily and can detect anomalous behavior like unfamiliar sign-in properties, leaked credentials, or anomalous token usage—regardless of the country of origin. Set risk policies to block or require password change for “high” user or sign-in risk levels.
  • Harden legacy authentication protocols. Many brute-force attacks still come through IMAP, POP, SMTP, or legacy ActiveSync. Disable these outright unless critically needed, and use authentication policies in Exchange Online to block legacy authentication.
  • Conduct regular attack path analysis. An attacker landing on a low-risk-country IP often isn’t the final step. They’ll move laterally. Map out how a compromised account could escalate to sensitive Teams data, SharePoint sites, or Azure resources, and place conditional access barriers at each junction.
  • Embrace phishing-resistant credentials. The US/UK proxy surge is heavily tied to credential theft. Moving to FIDO2 or Passkeys removes the reusable credential from the equation entirely.

The report also recommends that organizations pressure their SaaS vendors to decouple geographic billing from geographic risk. Some cloud identity solutions still charge more for advanced risk detection when users are in “high-risk” countries, inadvertently incentivizing weak coverage in those areas. As the line blurs, that pricing model becomes indefensible.

The Bigger Picture: A Borderless Threat Landscape

Barracuda’s April numbers are not an isolated blip. They align with a broader industry trend analyzed throughout 2025 and 2026: the threat actor economy has successfully industrialized location laundering. In January 2026, Microsoft’s own Digital Defense Report noted that 67 percent of nation-state attackers now route command-and-control through cloud infrastructure in friendly nations, up from 45 percent two years prior. Meanwhile, a March 2026 study from the SANS Institute found that organizations with location-based access policies were 2.3 times more likely to experience a successful Microsoft 365 account takeover than those using adaptive, risk-based controls.

The rise in domestic malicious logins also complicates regulatory and liability conversations. If a breach originates from a US IP, it’s harder to attribute to a known foreign adversary, potentially changing how insurers and regulators view the incident. It also blurs the line between crime and espionage, because a domestic IP could be a compromised American small business or a rented VPS that traces back to a shell company.

For Microsoft 365 administrators, the April 2026 update from Barracuda is a validation of the zero-trust marching orders that have been coming for years. Many admins resisted abandoning geo-trust because the alternative—stringent, friction-heavy authentication for every access—seemed too disruptive. The data now shows the alternative is far worse: a blind spot that adversaries are exploiting at scale.

Conclusion

The 25 percent jump in malicious Microsoft 365 logins out of the US and UK in April 2026 is a watershed moment for cloud identity defense. It proves that country-of-origin has lost nearly all relevance as a risk discriminator. Barracuda’s findings demand an immediate audit of conditional access policies, a retirement of naive geo-allow lists, and an acceleration toward phishing-resistant MFA for all users, all applications, all locations.

For the SOC analyst staring at a dashboard of failed logins, the lesson is simpler: that checkmark next to “United States” means nothing. Investigate the behavior, not the flag.