Technical detection rule that flags potential account takeover when a user account (often a service account) with historically high-volume logons shows successful logons from a different logon type at low frequency. It analyzes Windows logon events (4624) and aggregates by user and logon type to identify accounts with at least two distinct logon types, a high maximum logon count (>=1000) and a low minimum (between 1 and 10). The alert surfaces the anomalous logon type per user for investigation of credential compromise or misuse in a new context. Includes triage guidance, false-positive considerations, and remediation recommendations.