Just wondering where did you find out that your organization is suffering from a password attack? Maybe you can share the screenshot after removing all privacy information like domain name and email addresses.
In addition, since October2022, Exchange Online has been deprecating Basic Authentication. Therefore, this brute force attack or password spray attack should not be the same as the information in the link you provide.
About Azure AD accounts being locked out,You can refer to this document to manage smart lock values:
Prevent attacks using smart lockout - Azure Active Directory - Microsoft Entra | Microsoft Learn
Hope this helps!
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread