They use botnets that distribute the attacks from dozens of source IPs and attack multiple targets simultaneously in attempt to get a successful login.

The bots then attempt random login attempts using different username and password combinations. Hackers know full well that 3-5 attempts will likely lock out an account and that would possibly alert an admin that something is going on, so they program the bots not to try the same user account 3 times in a given period.

Between thousands of different usernames, and thousands of different passwords, against thousands of potential targets, sooner or later they’ll get a successful login.

Also it’s a little known fact that the ‘Administrator’ account in Active Directory can’t be locked out, so they brute force that account non-stop.