Lot's of back and forth with Microsoft Support, reviewing logs and more.
Apparently, @AmanpreetSingh-MSFT and @KAREDD-MSFT were answering according to some outdated documentation in the best case.
My current understanding on this subject is that this error message does not mean that anyone used the correct password.
These are most likely brute-force attempts. They would run some legacy authentication methods where they send the username and password at once.
Microsoft evaluates all sign ins coming in to any Microsoft directory. When an IP has X amount of failed usernames and/or passwords, Microsoft would than flag the IP as malicious and then block the sign-ins no matter if the password matches or not. Error 50053 has two definitions.
- Sign-in was blocked because it came from an IP address with malicious activity.
- Account is locked because user tried to sign in too many times with an incorrect user ID or password.
The second one is actually the definition currently publicized in the official documentation, but both of the above reasons use the same ID.
You won't always see an error prior to seeing that "Sign-in was blocked because it came from an IP address with malicious activity." and this is due because that IP address was flagged prior to trying your tenant/account.
These of course is solely my opinion and it is unfortunate to see "Microsoft Employees" (according to their profile here) are answering questions with incorrect information.
Additionally, I am completely disappointed why I had to go in circles with Microsoft support and simply have to "prove" them that the answers they are providing me can't be true.
The above is solely my understanding on this matter and I felt like posting it simply for others that stumble in to this to understand what's going on.