This analytic aims to detect failed authentication attempts against an Azure Active Directory (AAD) tenant during Multi-Factor Authentication (MFA) challenges. Specifically, it targets error code 500121, which indicates a failure during the MFA step of the authentication process. When a user with MFA enabled encounters this error, it suggests that an adversary could be attempting to authenticate with compromised credentials. This rule leverages Azure AD SignInLogs to monitor events and can indicate potential bypass efforts of MFA security measures, leading to unauthorized access. Implementing this detection requires creating a search within a Splunk environment configured to ingest AAD logs via an EventHub. The rule enhances security posture by filtering out legitimate MFA completions, thus focusing on genuine threats while maintaining a low false-positive rate.