QUESTION
We are getting compromise reports for the following addresses on almost every single customer/domain.
Observed user names in email addresses are as follows:
- info@domainname.com
- admin@domainname.com
- contact@domainname.com
- sales@domainname.com
- spam@domainname.com
ANSWER
This is representative of a rogue actor being interested in gaining unauthorized access to user accounts. They create a list of accounts and passwords to try and compromise a service on the domain. Whether the account exists or not, or the password is accurate or not, it is indicative that someone is interested in exploiting the domain(s) specifically.
REFERENCE
Password Spraying (Low and Spray)