A SIEM correlates VPN authentication logs and sees 14 different user accounts receive one failed login attempt each from the same source IP during a 5-minute window. A few minutes later, one of those accounts successfully authenticates from that same IP. Which attack is most likely?

Brute-force attack against a single account using many passwords.

That pattern usually targets one account repeatedly rather than touching many accounts once each.

Replay attack using previously captured authentication traffic.

Replay attacks reuse captured credentials or tokens, not a series of fresh failed login attempts across accounts.

ARP poisoning used to intercept local network traffic.

ARP poisoning affects local layer 2 traffic and does not explain the authentication log pattern shown here.

What does this SY0-701 question test?

Static NAT maps one inside address to one outside address.

What is the correct answer to this question?

The correct answer is: Password spraying using a common password against many accounts. — Password spraying is the best match because the attacker is trying a small number of common passwords against many different accounts. That approach reduces the chance of triggering account lockouts compared with attacking one account repeatedly. The same source IP generating a single failure per account, followed by a success, is a classic log pattern analysts look for when correlating authentication events across multiple users. Why others are wrong: Brute force usually means many attempts against one account, not one attempt per many accounts. Replay attacks involve reusing captured authentication material and would not normally produce this spread of fresh failures. ARP poisoning is a local-network interception technique and does not fit authentication log correlation.

What should I do if I get this SY0-701 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.