This detection rule identifies possible instances of multi-factor authentication (MFA) bypass attempts using legacy client authentication methods. By monitoring authentication events, specifically user agent strings that indicate the use of known legacy clients, the rule flags successful login attempts that may use outdated protocols. This behavior is often associated with password spray attacks where attackers exploit less secure authentication methods to gain access without triggering MFA protections. It is critical to monitor these authentication patterns closely to defend against unauthorized access attempts that could lead to credential compromise.