This detection rule monitors Microsoft 365 users to identify instances where a user has been restricted from sending emails due to the violation of sending limits established by the service policies. The restriction is logged by the Security Compliance Center when email-sending behaviors exceed these limits. By reviewing audit logs, analysts can confirm the issuance of restrictions, allowing for investigation of possible account compromise or misuse, in line with the MITRE ATT&CK framework's tactics for Initial Access. Analysts can identify restricted accounts, examine their recent email activities for suspicious patterns, and check for unauthorized access or configuration changes that may indicate compromise. False positives can arise from legitimate high email activity, requiring careful review and potential collaboration with marketing teams. The rule also prescribes immediate response and remediation actions to mitigate risks from compromised accounts, including disabling accounts, enforcing multifactor authentication, and notifying affected users. Updates to detection capabilities are encouraged to improve future threat responses.