I've dealt with these type of issues many times, and usually it comes down to where a user did not change their domain password on a mobile device after changing their password on their computer, which cause the continuous lock out.
This is my first experience with a user having continuous domain lock out issue. See log below. I am trying to trace the source. Per user, she does not have a mobile device or have another session on another computer. Is lsass.exe a suspicious .exe? How can I trace the source to find out where the lock out is occuring? She did mention that the auto-discover option does pop up every now and then.