Detects successful Microsoft Entra ID sign-ins using the OAuth device code flow where the Microsoft Authentication Broker client requests first-party Office APIs (Exchange Online, Microsoft Graph, or SharePoint) and the session is flagged as interactive. This pattern is associated with adversary-in-the-middle (AiTM) phishing campaigns (e.g., Tycoon 2FA) in which users complete a device code flow that brokers tokens for mail and collaboration services. The rule targets a specific Entra ID app (app_id) and Office API resources (resource_id) with the deviceCode authentication protocol, reducing noise from legitimate device-code usage. It enables rapid investigation of potential credential compromise or token abuse and supports containment actions for suspected AiTM activity.