This detection rule monitors SMS-based multi-factor authentication (MFA) events specifically looking for successful sending of MFA SMS codes, which is critical for identifying possible account takeover (ATO) attempts. Given that SMS is regarded as a weaker authentication method, tracking the sending of authentication codes can help security teams spot unusual activities that may indicate fraudulent attempts to gain access to accounts. The rule utilizes a Splunk query to retrieve and aggregate data from successful MFA communications, focusing on events where SMS codes are sent. In particular, it checks for the event types 'gd_send_sms' and the phrase 'SMS for MFA successfully sent.' The results are filtered by session, user, and source IP to pinpoint anomalies and track user authentication behavior effectively. This proactive monitoring addresses techniques for credential access and modification of authentication processes, suggesting a focused approach to maintaining account integrity and mitigating risks associated with MFA vulnerabilities.