This detection rule focuses on identifying user activities originating from IP addresses flagged as risky by Microsoft Threat Intelligence within the Microsoft Cloud App Security framework. It leverages anomaly detection to capture instances where a user successfully engages with the service from known malicious IP addresses that are associated with threats like Command & Control (C&C) for botnet networks. Such patterns could indicate compromised accounts, necessitating swift investigation and remediation to prevent further security breaches. The rule operates by monitoring events from the Security Compliance Center and serves as a crucial preventive measure against potential account takeover attacks. Given its functionality within a cloud environment and its reliance on Microsoft’s threat intelligence database, this rule is particularly relevant for organizations utilizing Microsoft 365 services and aiming to enhance their security posture against sophisticated cyber threats.