This rule detects Microsoft 365 audit logs (o365.audit) for UserLoggedIn events that align with Tycoon 2FA phishing-as-a-service (PhaaS) and attacker-in-the-middle (AiTM) activity. It flags logins where the Microsoft Authentication Broker is used with first-party app IDs related to Graph or Exchange Online, or the Office web client authenticating to itself, in combination with Node.js-style user agents (node, axios, undici). Tycoon2FA bypasses MFA by relaying authentication and capturing session material, frequently targeting Microsoft 365 and Gmail. The rule accounts for baseline legitimate automation and developer tooling to reduce noise while highlighting anomalous or automated login patterns. It specifically looks for certain ApplicationId/ObjectId pairs indicative of the suspected activity and requires a Node.js-style user agent to be present in the log entry, suggesting automation or tooling rather than a standard user login. The detection is focused on o365.audit data streams and leverages a precise combination of identifiers to reduce false positives from normal user activity, while acknowledging legitimate automation could still trigger matches. The rule is mapped to MITRE ATT&CK techniques T1566 (Phishing) and T1539 (Steal Web Session Cookie), under initial access and credential access tactics, reflecting the credential-stealing nature of AiTM phishing. It provides a structured investigation path and remediation guidance to triage and respond if malicious activity is confirmed.