In one of our customers, there is an alert related to a global administrator account. There is a conditional access policy in place and password-less sign in is NOT active. Based on sign-in logs, it tells status is failure and sign-in error code is 500121. This attempt is from another country using application 'O365 Suite UX'.
The question is since error 500121 means the user did NOT pass MFA, does that mean that the attacker provided username and 'correct password'? Is it possible to reach MFA stage without providing correct credentials?