Hi @PARR Shaun ,
Thanks for reaching out.
The TI_RT_0015 detection targets a password spray attack identified by Microsoft's threat intelligence and blocks sign-ins attributed to that attack.
There might be reason as the user account as being compromised in the Risky User section, Micrsoft' threat intelligence detected this as the risk. This risk detection type considers past sign-in history to look for anomalous sign-ins. The system stores information about previous sign-ins, and triggers risk detection when a sign-in occurs with properties that are unfamiliar to the user.
I am checking on this with the product team to confirm you further.