WTF is going on in these logs?

I had a user phished the other day but they realized and changed their password straight away.  Not before the bad actor collected his credentials so I checked the logs and what I see makes no sense.

First i looked at the sign in logs (Sign in logs.png).  You can see a failed login attempt from Jacksonville Florida.  You can see they used the old password (invalid passowrd.png).  Looks good right?

Then why the hell is there a follow up attempt (approved.png) that says Password via pass-through succeeded?  Yes, it's now waiting for MFA but if it's the wrong password as seen prior why now is it saying succeeded?

Plus, another one 10 mins later from another IP (probably trying to get around location blocking) with the same thing.  Pass Through succussed and now waiting for MFA.

If the password is wrong, why even request MFA?