This detection rule targets potential password spray attacks executed on Okta user accounts. It specifically identifies scenarios where multiple source IP addresses aggressively attempt to authenticate multiple user accounts over a defined time period, which is indicative of coordinated attacks attempting to bypass traditional single-source detection methods. The main goal of the detection is to unveil efforts by threat actors utilizing IP rotation strategies, potentially using as few as 25 failed attempts from at least 5 unique source IPs, resulting in a distribution of attempts that fits the criteria for password spraying. Additionally, the rule aims to help security teams investigate these incidents and apply relevant remediation tactics if malicious activity is confirmed.