This rule detects Entra ID sign-in activity where the Microsoft Authentication Broker uses a non-standard user agent, i.e., a user_agent.original string that diverges from typical browser, mobile, or Windows authentication clients. Such non-standard agents are commonly observed in adversary-in-the-middle campaigns and OAuth phishing toolchains that relay tokens via scripted clients (for example Node.js, Python, or generic HTTP libraries) while targeting first-party resources through the broker. The detection targets logs from Microsoft Entra ID sign-in events, focuses on sign-ins where the broker is the app used to obtain tokens, and flags unusual user agent strings even when the sign-in succeeds. The rule emphasizes that legitimate automation, SDKs, or approved tooling may occasionally generate atypical user agents, and provides guidance to validate authenticity via session correlation, resource access, and conditional access outcomes. It also maps detected behavior to MITRE ATT&CK techniques related to Initial Access (Phishing), Cloud Accounts (Valid Accounts), and Steal Web Session Cookies, underscoring the credential-access opportunity if tokens are harvested or misused. Triage steps involve inspecting the user_agent.original, correlating the sign-in session_id with other activities (device registrations, Graph activity), reviewing conditional access outcomes, and analyzing source IP/ASN against expected egress patterns. False positives often include legitimate non-browser clients from first-party tooling, so tuning exclusions for known automation patterns is advised. Remediation in case of malicious activity includes revoking refresh tokens, auditing device registrations, credential resets, and escalating when paired with suspicious ASN sign-ins or anomalous OAuth flows. The rule includes references to phishing and OAuth workflows and provides investigative references, user-principal_name context, and session identifiers to support rapid validation and containment.