Hi @Kristian Sanchez ,
If you check the sign-in logs under Azure Active Directory > Sign-ins log , you can check for the Failure Reason or interrupt reason in the Basic Info section.
If it seems like this does not match the user's behavior and you suspect there might be login attempts from attackers, you can apply conditional access policies to block certain geographic locations where you do not have staff. You can also apply sign-in risk policies to block users who are detected as having high or medium risk associated.
Another possibility is that you have have legacy protocols enabled (SMTP, POP), in which case the best practice is to disable them.
If you are using MS Authenticator, an extra protection would be to enable the context feature with number matching with that shows where the request is coming from and prompts the user to match the two digit code on the screen.
Let me know if this helps. If it's only one user it seems like it could be an attack attempt.
If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar information.