This detection rule is designed to identify attempts to exploit a specific vulnerability in GitLab (CVE-2023-7028), where attackers can trigger a password reset for multiple user accounts by manipulating the email parameters in the reset request. The vulnerability is critical in nature (CVSS score of 10.0) and could allow unauthorized access to accounts if exploited successfully. The rule logs events related to password reset attempts, specifically monitoring for requests that expose the functionality to send password reset emails to multiple email addresses simultaneously instead of limiting it to a single verified email, which is a deviation from normal behavior that this rule aims to flag. Tests included in this rule confirm correct identification of unauthorized multi-email reset attempts along with false positives for single email resets, ensuring only exploitable instances are logged.