Defender and distributed brute-force login attempts

I'm running Defender and it looks like it's doing a fantastic job. Looking at the failed-login log, it looks like there are a whole bunch of attempts from distributed IP addresses, trying to login to a site using the subdomain of the site as the username. For most of those, the username doesn't exist - is it possible to configure Defender to notice that a username is really just a site's subdomain and auto-ban that IP if the username doesn't exist?