This detection rule identifies instances of multiple failed multi-factor authentication (MFA) requests for a single user in an Okta tenant, which may indicate a potential attack strategy by adversaries to bypass MFA protections. The rule monitors Okta event logs for cases where a specific user receives more than 10 failed MFA requests within a 5-minute time window. Such a spike in failed authentication attempts could suggest that an attacker is attempting to exploit the MFA mechanism by overwhelming it with requests. The detection utilizes both Okta's specific logging capabilities and a statistical analysis of events, alerting security teams to potentially malicious behavior resembling tactics used by known threat actors like Lapsus and APT29. If confirmed, this could lead to critical security breaches, allowing unauthorized access to sensitive resources.