This detection rule is designed to identify successful logins to the Microsoft 365 portal originating from locations that are considered uncommon for the specific user. These rare locations are typically defined as geographical areas that do not align with the established access patterns of the user’s account. One of the motivations for detecting such logins is the potential of unauthorized access attempts by malicious actors, particularly those using VPNs to mask their true location. The detection utilizes data from Microsoft 365 audit logs and specifically looks for successful login events against a defined list of conditions. It aims to identify instances where legitimate users might be compromised or when unauthorized access may be occurring. The rule checks for successful login outcomes, ensuring the UserId is not marked as unavailable, and evaluates the logged-in target type. False positives are acknowledged, particularly for users traveling or using VPNs legitimately, prompting an emphasis on reviewing login histories and establishing expected location baselines. Recommended investigations include verifying unusual location logins with the user, confirming the IP used, and analyzing account activity for signs of unauthorized actions. If a threat is confirmed, the rule outlines rapid response steps, including account isolation and password resets, to secure the environment.