This rule identifies potential abuse of actor tokens in Microsoft Entra ID audit logs, which can indicate unauthorized access attempts. Actor tokens are undocumented backend mechanisms that allow Microsoft services to act on behalf of users. These tokens appear in logs with the legitimate service's display name alongside the impersonated user's UPN. Unexpected usage of these tokens could be an indication of exploitation of the vulnerability CVE-2025-55241, which allowed unauthorized access to the Azure AD Graph API before its patch in September 2025. The rule helps identify misuse during a specified time frame, specifically focusing on logs generated by Microsoft services while excluding legitimate activities related to group operations to mitigate false positives. The associated risks include possible privilege escalation or unauthorized administrative actions facilitated by such tokens. The investigation guide provided within the rule outlines potential steps to analyze incidents effectively and suggests specific responses and remediation actions to secure affected Entra ID tenants.