This detection rule identifies suspicious sign-in attempts to the Microsoft Graph API on behalf of an authenticated user, where multiple distinct IP addresses are involved, suggesting potential misuse of OAuth refresh tokens. The rule specifically examines usage of the Microsoft Authentication Broker or Visual Studio Code, common applications that might be exploited to gain unauthorized access through phishing methods. By analyzing activity within the last hour, the rule filters records for successful login actions within Office 365, particularly focusing on unique IP addresses and specific applications known for OAuth interactions. Investigation steps include examining user identity, analyzing geographical sources of IP addresses, checking for device registration events, and identifying any further sign-ins from the involved IPs. False positive rates could be mitigated by evaluating user roles that might exhibit similar behavior due to legitimate reasons. Recommended responses involve revoking refresh tokens if the access is unauthorized and implementing stricter access policies to prevent future incidents.