This rule is designed to detect suspicious OAuth authorization activities within Microsoft 365 involving the Visual Studio Code application (client ID: aebc6443-996d-45c2-90f0-388ff96faa56). While this client ID is commonly associated with legitimate use of Visual Studio Code, it has also been exploited by threat actors in phishing campaigns to create seemingly trustworthy OAuth requests. By tricking users into returning an OAuth authorization code—often via redirection to a legitimate Microsoft site (e.g., insiders.vscode.dev)—attackers can gain unauthorized access to personal data through Microsoft Graph APIs without alerting the user through explicit consent or multifactor authentication. The rule monitors for sign-ins that initiate OAuth 2.0 authorization code flows within a specified timeframe and identifies patterns consistent with known phishing tactics, focusing on parameters related to user identity and application access.