This threat detection rule targets brute force attempts aimed at Azure Entra's multi-factor authentication (MFA) mechanism, specifically focusing on Time-based One-Time Password (TOTP) verification codes. The rule identifies unusually high frequencies of failed TOTP code attempts for a single user within a short time frame, indicating a potential attack scenario where an adversary, equipped with valid credentials, tries to bypass MFA requirements. Successful breaches could lead to unauthorized access to vital Azure resources. The analytic framework is reliant on Azure's sign-in logs to capture nuanced login behaviors while encouraging a detailed investigation into user activity, source IP addresses, authentication methods, and user agent characteristics. The rule is designed for environments utilizing Azure and is critically dependent on the proper configuration of Azure logs integration, emphasizing the need for entries such as the failure of authentication and high attempt rates.