This detection rule uses the new_terms paradigm to surface Azure VM extension operations that appear unusual based on the combination of the extension resource name and the source ASN. It targets CRUD actions on VM extensions (MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/* or the VM scale set equivalents) and flags when the targeted extension name has been operated on from a source ASN that has not been observed recently. Extensions such as CustomScript and DSC run with SYSTEM/root privileges, so create/update (WRITE) and delete (DELETE) actions can enable code execution or persistence, making this a high-risk primitive. The rule excludes routine first-party Microsoft automation (from well-known Microsoft ASNs) to reduce noise. The detection runs on Azure Activity Logs (logs-azure.activitylogs-*) with a current window from now-9m and a new-terms history window of now-7d to identify genuinely new source-extension relationships. It fires on WRITE/DELETE (and also captures READ where applicable) to surface potentially malicious or misconfigured extension activity that could precede credential access, persistence, or defense-evasion actions. MITRE mappings include Cloud Administration Command (T1651) under Execution and Boot or Logon Initialization Scripts (T1037) under Persistence, reflecting potential for remote code execution or persistence via VM extensions. The rule provides explicit investigation fields (principal identity, source ASN, extension target, and resource IDs) and a practitioner-focused triage guide for validating legitimacy, correlating with endpoint telemetry, and containing or remediating the affected VM or VMSS. Risk score is 47 with a medium severity, aligning with notable but not universally observed attacker behavior in cloud management workflows.