This detection rule monitors for unusual behavior in user authentication patterns across Office 365, specifically when a single user account authenticates from multiple operating systems within a short timeframe. Such behavior may signify potential security threats, including attempts to bypass Multi-Factor Authentication (MFA) and exploit weaknesses in an organization's access controls. The analytics focus on tracking user login attempts recorded in the Office 365 Universal Audit Log, flagging instances where at least four different operating systems are detected within a 15-minute window. This method allows security teams to identify possible credential abuse scenarios, where adversaries utilize tools such as MFASweep to test user credentials against various operating system platforms. Reviewing these events can help in proactively safeguarding user accounts and reinforcing authentication practices across the organization.