I’m not an expert in such matters, but in my experience, it is far more likely that they replied to a clever phishing or spearphishing attack. I don’t know that I’ve ever seen evidence that one of our accounts was hacked, but we have several each year who enter their credentials into a form or page that looks legitimate to them, or came from someone they trusted. And if this happened in your case, then automatically blocking IP addresses after a specified number of failed login attempts might not solve anything.
We have policies in place that lock user accounts for 12 hours after 10 failed login attempts, which would essentially accomplish the same thing. However, we had to change this policy for IT admins, because it became evident that someone was attempting to compromise our system administrator’s account. As I recall, the IP addresses were from Europe, and changed (imagine all the IP addresses that could become blocked in a very short period of time if the attackers are agile!) IT user accounts now lock for 5 minutes after 2 failed attempts. The SA changed his username. This, along with the lockout policy, seems to have put an end to the attacks. Each time a lockout occurs, the Help Desk gets an email containing the username, IP address, and device/system that was experiencing the failed login attempt (usually Exchange, when people change their password but don’t change it on their phone/tablet/Mac- it is especially annoying when Keychain remembers an old password and won’t let go of it).
Perhaps a lockout policy such as this, with notifications, might be of benefit to your organization.