The "O365 Concurrent Sessions From Different IPs" analytic aims to detect unauthorized access patterns in Office 365 environments by identifying user sessions associated with multiple IP addresses. This behavior is indicative of potential adversary-in-the-middle (AiTM) phishing attacks, where attackers gain access to user credentials and log in from various locations in a short time frame. The detection mechanism utilizes Azure Active Directory logs, specifically monitoring for 'UserLoggedIn' operations, and flags instances where a single session shows more than one unique IP address. This scenario is rare in normal user behavior and raises significant security concerns, such as the risk of data theft, account takeover, and facilitating internal phishing campaigns. The detection utilizes standard Splunk queries to aggregate login data by user and session ID, and applies filters to identify these suspicious activities.