This rule detects a potential abuse of Multi-Factor Authentication (MFA) within Okta by identifying patterns where an attacker uses repeated push notifications in an attempt to gain unauthorized access. The detection works by analyzing event sequences where a user has denied MFA requests twice in quick succession and then successfully logged in. The logic implemented checks for a maximum span of 10 minutes between these events to ascertain the likelihood of MFA bombing. Key investigation steps involve verifying user activity, source IP, and cross-referencing with normal user behavior patterns. The rule provides actionable analysis and response steps in case of detection, emphasizing the importance of continuous monitoring and updates to response plans to counteract such tactics effectively.