During a security audit, an analyst notices repeated failed attempts to access user accounts. What type of attack would this likely represent?

A repeated pattern of failed attempts to access user accounts typically indicates a brute-force attack. This type of attack involves an attacker systematically guessing passwords in order to gain unauthorized access to an account. The key characteristic of a brute-force attack is the number of attempts, as attackers try multiple combinations of usernames and passwords until they find a working set.

In the context of a security audit, if the analyst notices that there are numerous failed login attempts over a short period, it strongly suggests that an automated tool is being used to test different passwords against an account, which is the essence of a brute-force attack.

On the other hand, credential stuffing involves using previously compromised username and password pairs to log into various accounts, which may not typically generate a high number of failed attempts if the credentials are valid. Phishing attempts focus on tricking users into providing credentials through deceptive communication rather than attempting to guess them, while shoulder surfing is a physical observation attack where an attacker watches someone input their credentials. None of these alternatives fit the scenario as accurately as a brute-force attack does.