This detection rule identifies potentially malicious consent grants made by users to registered applications in Microsoft Entra ID, specifically targeting Microsoft 365 resources. Adversaries can create applications and deceive users into granting these applications access by using phishing attacks that direct users to crafted OAuth consent links. Once consent is given, the malicious application can operate on behalf of the user, accessing various Microsoft 365 resources such as emails and files. The rule becomes active only if there is a new consent grant that has not been recorded in the last 14 days, helping to minimize false positives. Users can be informed of suspicious activities by reviewing the associated applications, audit logs, and consent levels. If a malicious application is confirmed, responses include revoking consent, blocking the application, and notifying users and IT staff. Recommendations for preventive measures include enabling an Admin consent workflow and frequent audits of applications granted excessive permissions.