This detection rule targets potential enumeration or password spraying activities executed via the TeamFiltration tool. It focuses on identifying adversarial behaviors associated with user enumeration and credential abuse in Microsoft Entra ID and Microsoft 365 environments. TeamFiltration is known for executing such attacks using specific user-agent strings that have been hardcoded in its implementation. The rule deploys comprehensive monitoring across various Azure and Microsoft 365 logs, analyzing user-agent characteristics to flag suspicious activities. Potential false positives include legitimate security assessments or administrative tasks that could trigger the rule if TeamFiltration is used under authorized conditions. In case of detected malicious behavior, specific investigative steps are outlined, including reviewing API logs, examining user behavior, and determining the legitimacy of sign-in attempts. The methodology encompasses utilizing MITRE ATT&CK framework techniques for a structured approach to threat detection and response.