Azure Active Directory Conditional Access has functionality for “Countries/Regions” – see https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition
That said, the most effective protection you can have against password spray attacks is to enable MFA and disable basic authentication. If you cannot do this for your entire organization, then blocking user access to legacy protocols like POP, EWS, IMAP and SMTP is another step you can take. Exchange Online Client Access Rules can help you to further customize (https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/client-access-rules/client-access-rules). For additional recommendations, please see Office 365 Secure Score.
That said, please know that we are listening to feedback and working on solutions to help make Office 365 users more secure. Thank you for the feedback.
An error occurred while saving the commentAnonymous commented
Should be built-in if MS is serious about security. There are reports to monitor risky sign-ins - but nothing to block them.
4,218 votesthinking about it · AdminMicrosoft 365 Groups Feedback (Product Owner, Microsoft Office 365) responded
Thanks to all of you for your feedback on this item. We know that folder creation is still a high priority request from our customers. Please continue to provide your feedback as we assess the priority in relation to other initiatives the Outlook teams have committed. Thank you!