This detection rule monitors instances where multiple users share the same phone number for Multi-Factor Authentication (MFA) on platforms utilizing Auth0. Given that attackers may seek to leverage a compromised phone number associated with multiple accounts, this rule aims to flag such scenarios as potential security risks. The detection logic primarily focuses on the Auth0.Events log types, looking for events related to Guardian enrollment via SMS. The rule activates based on a threshold of just two users associated with the same phone number, highlighting an urgent need for review. The enabled status implies that organizations are already prioritizing this form of detection to bolster their security posture against account takeovers and identity fraud.