This detection rule monitors for an abnormal increase in denied Multi-Factor Authentication (MFA) attempts for individual users in Azure Active Directory (Azure AD), specifically capturing scenarios where more than nine MFA prompts are declined within a ten-minute timeframe. The rule uses Azure AD sign-in logs to filter for events characterized by error code 500121, which indicates that the user actively denied the MFA request. Such patterns can signify potential security threats, including targeted account compromise attempts where an attacker may systematically try to gain access to a user's account while the legitimate user is actively denying unauthorized access. The significance of this activity lies in its correlation to possible adversarial tactics aimed at data exfiltration or lateral movement within an organization's infrastructure. Implementing this rule can provide early warning signs of such attacks, requiring further investigation and response to protect sensitive identity-based resources.