The Azure VS Code OAuth Phishing rule is designed to identify OAuth authorization flows initiated by Visual Studio Code that obtain tokens to access Microsoft Graph. The legitimate use of these flows by developers is common; however, attackers often misuse the trusted nature of the VS Code client ID to conduct phishing campaigns. This rule focuses on monitoring Azure Audit logs for any sign-ins involving VS Code that align with known phishing patterns. The detection includes analyzing various characteristics of incoming OAuth requests, such as the requestor's IP address and user agent, to differentiate between legitimate and potentially malicious usage. The implementation involves querying Azure's sign-in logs for VS Code OAuth events, checking caller IPs against known VPN services or user geographic locations, and analyzing other OAuth consent events for abnormal patterns. The rule is set at a medium severity due to its potential impact on user account security and the potential for data exposure from successful phishing attempts.