This rule identifies potential unauthorized access to Microsoft 365 mailboxes by monitoring for unusual ClientAppId values that haven't been previously observed. The detection logic executes every 30 minutes, checking for successful mail access events linked to ClientAppIds that are new within the past 10 days, excluding known and trusted identifiers. False positives may arise from legitimate user behavior such as switching mail clients, post-leave reconnections, or multiple mailboxes being accessed by the new ClientAppId quickly. For effective analysis, the rule recommends verifying various indicators like source IP, geolocation, user connection patterns, and cross-referencing other alerts for the same user. Setup requires Office 365 Logs Fleet integration or compatible structured data in Filebeat.