Detects Microsoft 365 OAuth device code grants (Cmsi:Cmsi) to the Microsoft Authentication Broker (ApplicationId 29d9ed98-a469-4536-ade2-f981bc1d605e) for Microsoft Graph from a source ASN not observed for the user within a defined history window. This pattern is commonly used by device-code phishing kits, which drive the user through a legitimate Microsoft endpoint and polling flow to harvest a token that is MFA-satisfied, often originating from attacker-controlled residential proxies or datacenter hosting. The rule uses a new_terms-based signal to flag unusual ASN usage for a given user by examining o365.audit.UserId and source.as.number over a recent history (now-7d), indicating a potentially suspicious login context even if MFA succeeds. The underlying event query looks for ExtendedProperties.RequestType Cmsi:Cmsi, ApplicationId matching the Microsoft Authentication Broker, Target.ID for Microsoft Graph, non-managed device context (DeviceProperties.Value: False), and a user-type in the audit Actor fields. When matched, it can be followed up with additional Azure sign-in logs and Graph activity analysis to determine credential compromise and persistence. Investigation context provided by the rule includes validating the involved user, the source ASN and organization, IP and geographic origin, device properties and user agent, application and target IDs, and cross-referencing with Azure signinlogs and graphactivitylogs for follow-up activity (e.g., /me exploration, mailbox/file access) potentially tied to the same ASN. It also highlights that the same device-code flow can be legitimate in some scenarios (e.g., new networks, new devices, CLI workflows), and advises careful consideration of false positives before escalation. MITRE mapping includes T1078.004 (Cloud Accounts) and T1566.002 (Spearphishing Link) under Initial Access, and T1550.001 (Use Application Access Token) under Defense Evasion, reflecting the incident chain from initial credential use to token harvesting.