This detection rule is designed to identify suspicious concurrent sign-in attempts to Microsoft Entra ID from the same user and session across multiple sources. The rule particularly focuses on sign-in events involving the DeviceCode protocol, which can be associated with OAuth phishing attempts. Attackers may exploit token theft, such as stealing Refresh Tokens (RTs) through phishing, to bypass multi-factor authentication (MFA) and gain unauthorized access to Azure resources. The detection uses ESQL to query Azure sign-in logs, checking for specific conditions related to authentication attempts and the number of unique source IPs and user agents involved. The threat indicators align with common tactics used by adversaries to compromise accounts, making this an essential rule for monitoring potential security breaches in Azure environments.