This detection rule is designed to identify non-interactive authentication attempts made by user principals to SharePoint Online through the Microsoft Authentication Broker. Such attempts involve using a refresh token or a Primary Refresh Token (PRT) without an interactive sign-in process. The significance of this activity lies in its association with potential OAuth phishing attacks or token replay scenarios, which can lead to unauthorized access. The rule leverages Azure Sign-In logs to track the first occurrence of this activity over the previous fourteen days, ensuring timely identification of any anomalies in SharePoint Online access. Investigative measures include analyzing the user principal, application used, resource accessed, and the nature of the sign-in (particularly if it was non-interactive), providing a comprehensive overview of possible unauthorized actions. As false positives can occur due to legitimate automated access, thorough investigation and monitoring of known legitimate access patterns is recommended to mitigate risks.