So one of the things that has always bothered me was Brute force attacks. It is one thing to have someone take advantage of a vulnerability that is exposed. but having them in your environment as a user is really scary.
Most Pen testers will tell you that this is the fastest way into the network. And it is possible to run low and slow attacks that are automated against login pages. I have seen as many as 6 million attempts over a several week period. And all are different usernames and passwords. So in this case it would never lock an account out. And automated tools are becoming way more sophisticated.
So I decided to try and catch this type of attack. And simply watching NON RFC 1918 traffic trying to hit owa.auth is a very successful way of finding some of these attacks against OWA. once you have a baseline of your environment you can then watch for larger then normal hits on the OWA Auth page from a single IP. Or odd behavior.
If you are really creative and do not have any restriction on PII you can pull the username out of the packet and then see by IP and username. When you have 100's of usernames by IP you know you have an issue. This will not catch all types of attacks but it does catch some. If you are catching username you can see some injecton attacks as well.
I can tell you from experience this works very well and is worth looking into if you are decrypting your owa.