This rule aims to detect concurrent sign-in events for the same user across multiple sources in Microsoft Entra ID (formerly Azure AD), especially focusing on sign-ins that exhibit suspicious characteristics often linked to DeviceCode and OAuth phishing attacks. The presence of multiple sign-ins might indicate unauthorized access attempts where an attacker has potentially stolen Refresh Tokens (RTs) through phishing. The rule employs ESQL to analyze sign-in logs collected from Azure, looking for successful logins from different IP addresses, particularly under scenarios that involve device code authentication without MFA or unusual OAuth applications like Visual Studio Code. Investigation steps involve reviewing the sign-in logs for context, assessing the user's account for anomalies, invalidating compromised tokens, enforcing elevated security measures, and conducting thorough investigations if such behaviors are detected in response to alerts.