Occasional Contributor

Several of my Exchange online accounts are subject to frequent login attempts by various means.  Recently I have a bunch of attempts using IMAP from foreign countries.  IMAP is disabled for that account, but SMTP is allowed (for the time being). We we have one CA policy which applies, ,Blocks login from foreign country. When I test using the What If tool these foreign logins using IMAP are indeed blocked. But yet the user account is getting locked and the logs show multiple breakin attempts.  What is going on?  Shouldn't the CA policy and IMAP restriction prevent the login attempt from the first place, or will the log continue to grow with failed logins from IMAP while locking the account?