This detection rule identifies occurrences where Office 365 blocks a user's attempt to grant consent to applications classified as risky or potentially malicious. Leveraging O365 audit logs, the rule emphasizes tracking failed user consent actions specifically caused by system-driven blocks. Monitoring these incidents is critical in detecting early threats, indicating potential targeting of users or attempts by malicious applications to gain access to organizational data. If the application is confirmed as malicious, it underscores the efficacy of O365's security measures in preventing unauthorized access. The rule provides insights into user behaviors and application interactions, necessitating immediate investigation of blocked consent attempts to safeguard organizational data integrity.