The clients get many 401s because the site including static resources is protected by login but browser doesn't always send Authorization header when trying to access static resources. The origin replies with 401 and response header "www-authenticate":"Basic realm="Restricted Area - Authentication Required" and until then browser adds Authorization header. However the 401 "Failed Login" is already recorded by our malicious user detection mechanism and after several times leads to false conviction of the client as malicious.

The solution should be to count 401s in MUM risk score only if the user use wrong credentials, not with the Authentication header empty