This detection rule identifies successful Multi-Factor Authentication (MFA) events in Cisco Duo that occur through the use of a bypass code, which is typically utilized when a user cannot access their enrolled devices due to various reasons such as loss of a device, disruption in service, or being in situations where using the enrolled device is impossible (like being on a plane without mobile data). When administrators generate these temporary passcodes, they enable users to maintain access to Duo-protected applications and systems. Detecting the use of these bypass codes is critical as it may indicate abnormal access behavior, particularly in environments leveraging MFA for enhanced security. Therefore, monitoring for successful authentications using bypass codes can help detect potential threats against user accounts and mitigate unauthorized access in scenarios where normal MFA devices are unresponsive.