We are getting compromise reports for the following addresses on almost every single customer/domain.
Observed user names in email addresses are as follows:
This is representative of a rogue actor being interested in gaining unauthorized access to user accounts. They create a list of accounts and passwords to try and compromise a service on the domain. Whether the account exists or not, or the password is accurate or not, it is indicative that someone is interested in exploiting the domain(s) specifically.