This detection rule monitors for unauthorized access to Office 365 email accounts through the Exchange Web Services (EWS) using OAuth authentication. It identifies interactions where the ClientInfoString indicates usage of EWS and aggregates access metrics such as the count of accesses, timestamps, and source IP addresses, categorized by user account, application ID (AppId), and operation count. This monitoring is crucial for detecting potential misuse of OAuth apps which may lead to unauthorized access or data exfiltration incidents. Key elements such as logs from Office 365 management activities are utilized, and the detection search requires the installation of the Splunk Microsoft Office 365 Add-on for proper ingestion of events. In case of detection, additional scrutiny is advised to rule out legitimate accesses by trusted applications.