This rule detects bursts of Google Workspace device registration events for a single user, specifically when three or more distinct google_workspace.device.id values are observed within a one-minute window. The Reports API emits a fresh google_workspace.device.id on every session/sync registration, and while legitimate activity can generate multiple events, a burst of 3+ distinct device IDs in a minute is unusual for a single user and can indicate adversarial activity. The rule flags such bursts as potential AiTM phishing-kit relays (Tycoon2FA Google variant) or token-replay tooling where multiple sign-ins are driven by a stolen OAuth token or a relay session. The behavior can be characterized by homogeneous device fingerprints (OS, model) across a burst window and quick succession of events rather than distributed over minutes. MITRE ATT&CK coverage includes: T1098.005 Device Registration (Account manipulation persistence), T1078.004 Cloud Accounts (Initial Access via cloud accounts), and T1557 (Adversary-in-the-Middle / credential access). The rule provides detailed investigation steps (examining user, host OS version, device types/models, and related login and token events) and clearly differentiates false positives such as simultaneous onboarding of multiple Workspace apps or major OS upgrades that cause broad re-attestation. Remediation guidance prioritizes containment and credential protection, including revoking OAuth tokens, password resets, session sign-outs, and device cleanup, along with cross-checking for cross-cloud access indicators. Overall, this rule aims to detect high-risk sign-in patterns associated with token theft or phishing relays while minimizing noise from normal onboarding or fleet updates.