This detection rule is designed to identify potentially malicious behavior in which a user signs in to a Microsoft Entra ID account using a refresh token via the Microsoft Authentication Broker (MAB) and follows it up with a Primary Refresh Token (PRT) sign-in from the same device within a one-hour span. The rule captures this sequence because such behavior may indicate that an attacker has registered a device and is exploiting the obtained trust to access resources with persistent token usage. Subsequent analysis steps include confirming the authenticity of the sign-in events and investigating any Microsoft 365 resource access that might occur afterwards. Investigators are advised to be cautious of legitimate activities that could trigger false positives, such as automatic device onboarding processes or rapid provisioning scenarios. Recommended responses include revoking any active sessions, enforcing multifactor authentication (MFA), and potentially quarantining suspicious devices.