This detection rule identifies attempts to abuse Azure Browser Single Sign-On (SSO) by monitoring the loading of the MicrosoftAccountTokenProvider.dll. When a Windows user authenticated via Azure Active Directory (AD) attempts to perform SSO in the browser, this DLL is loaded. An attacker can exploit this behavior to impersonate the user by acquiring OAuth 2.0 refresh tokens. The rule focuses on logging instances where this DLL is invoked while ensuring that such instances are not part of known benign applications like the BackgroundTaskHost.exe, Internet Explorer, Microsoft Edge, and Visual Studio's IDE. It uses various filters to refine detection, aiming to balance sensitivity and specificity of the alerts generated. Potential false positives are acknowledged as the rule may trigger on legitimate DLL load events that need correlation with other activities to determine a true incident.